Описание
Security update for the Linux Kernel
The openSUSE Leap 42.2 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2017-1000111: Fixed a race condition in net-packet code that could be exploited to cause out-of-bounds memory access (bsc#1052365).
- CVE-2017-1000112: Fixed a race condition in net-packet code that could have been exploited by unprivileged users to gain root access. (bsc#1052311).
- CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability (bnc#1037994).
The following non-security bugs were fixed:
- IB/hfi1: Wait for QSFP modules to initialize (bsc#1019151).
- bcache: force trigger gc (bsc#1038078).
- bcache: only recovery I/O error for writethrough mode (bsc#1043652).
- block: do not allow updates through sysfs until registration completes (bsc#1047027).
- ibmvnic: Check for transport event on driver resume (bsc#1051556, bsc#1052709).
- ibmvnic: Initialize SCRQ's during login renegotiation (bsc#1052223).
- ibmvnic: Report rx buffer return codes as netdev_dbg (bsc#1052794).
- iommu/amd: Fix schedule-while-atomic BUG in initialization code (bsc1052533).
- libnvdimm, pmem: fix a NULL pointer BUG in nd_pmem_notify (bsc#1023175).
- libnvdimm: fix badblock range handling of ARS range (bsc#1023175).
- qeth: fix L3 next-hop im xmit qeth hdr (bnc#1052773, LTC#157374).
- scsi_devinfo: fixup string compare (bsc#1037404).
- scsi_dh_alua: suppress errors from unsupported devices (bsc#1038792).
- vfs: fix missing inode_get_dev sites (bsc#1052049).
- x86/dmi: Switch dmi_remap() from ioremap() to ioremap_cache() (bsc#1051399).
Список пакетов
openSUSE Leap 42.2
Ссылки
- E-Mail link for openSUSE-SU-2017:2169-1
- SUSE Security Ratings
Описание
Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW.
Затронутые продукты
Ссылки
- CVE-2017-1000111
- SUSE Bug 1052365
- SUSE Bug 1052367
Описание
Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.
Затронутые продукты
Ссылки
- CVE-2017-1000112
- SUSE Bug 1052311
- SUSE Bug 1052365
- SUSE Bug 1052368
Описание
The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel through 4.11.5 allows local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a "double fetch" vulnerability.
Затронутые продукты
Ссылки
- CVE-2017-8831
- SUSE Bug 1037994
- SUSE Bug 1053611
- SUSE Bug 1061936
- SUSE Bug 1087082