   openSUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2017:0906-1
Rating:             important
References:         #1019851 #1020602 #1022785 #1023377 #1025235 
                    #1026722 #1026914 #1027066 #1027178 #1027179 
                    #1027189 #1027190 #1027565 #1028415 #1029986 
                    #1030118 #1030573 #968697 
Cross-References:   CVE-2016-10200 CVE-2016-10208 CVE-2016-2117
                    CVE-2017-2583 CVE-2017-2584 CVE-2017-2596
                    CVE-2017-2636 CVE-2017-5669 CVE-2017-6214
                    CVE-2017-6345 CVE-2017-6346 CVE-2017-6347
                    CVE-2017-6348 CVE-2017-6353 CVE-2017-7184
                   
Affected Products:
                    openSUSE Leap 42.1
______________________________________________________________________________

   An update that solves 15 vulnerabilities and has three
   fixes is now available.

Description:



   =====================================================================   Still left to do:
   - Check CVE descriptions. They need to be written in the past tense. They
     are processed automatically, THERE CAN BE ERRORS IN THERE!
   - Remove version numbers from the CVE descriptions
   - Check the capitalization of the subsystems, then sort again
   - For each CVE: Check the corresponding bug if everything is okay
   - If you remove CVEs or bugs: Do not forget to change the meta information
   - Determine which of the bugs after the CVE lines is the right one

   =====================================================================
   The openSUSE Leap 42.1 kernel was updated to 4.1.39 to receive various
   security and bugfixes.

   The following security bugs were fixed:

   - CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel
     did not restrict the address calculated by a certain rounding operation,
     which allowed local users to map page zero, and consequently bypass a
     protection mechanism that exists for the mmap system call, by making
     crafted shmget and shmat system calls in a privileged context
     (bnc#1026914).
   - CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the
     Linux kernel improperly manages lock dropping, which allowed local users     to cause a denial of service (deadlock) via crafted operations on IrDA
     devices (bnc#1027178).
   - CVE-2017-7184: The xfrm_replay_verify_len function in
     net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size
     data after an XFRM_MSG_NEWAE update, which allowed local users to obtain
     root privileges or cause a denial of service (heap-based out-of-bounds
     access) by leveraging the CAP_NET_ADMIN capability, as demonstrated
     during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10
     linux-image-* package 4.8.0.41.52 (bnc#1030573).
   - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in
     the Linux kernel allowed local users to gain privileges or cause a
     denial of service (use-after-free) by making multiple bind system calls
     without properly ascertaining whether a socket has the SOCK_ZAPPED
     status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c
     (bnc#1028415).
   - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux
     kernel allowed local users to gain privileges or cause a denial of
     service (double free) by setting the HDLC line discipline (bnc#1027565).
   - CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that
     a certain destructor exists in required circumstances, which allowed
     local users to cause a denial of service (BUG_ON) or possibly have
     unspecified other impact via crafted system calls (bnc#1027190).
   - CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux
     kernel allowed local users to cause a denial of service (use-after-free)
     or possibly have unspecified other impact via a multithreaded
     application that made PACKET_FANOUT setsockopt system calls
     (bnc#1027189).
   - CVE-2017-6347: The ip_cmsg_recv_checksum function in
     net/ipv4/ip_sockglue.c in the Linux kernel has incorrect expectations
     about skb data layout, which allowed local users to cause a denial of
     service (buffer over-read) or possibly have unspecified other impact via
     crafted system calls, as demonstrated by use of the MSG_MORE flag in
     conjunction with loopback UDP transmission (bnc#1027179).
   - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly
     restrict association peel-off operations during certain wait states,
     which allowed local users to cause a denial of service (invalid unlock
     and double free) via a multithreaded application.  NOTE: this
     vulnerability exists because of an incorrect fix for CVE-2017-5986
     (bnc#1025235).
   - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the
     Linux kernel allowed remote attackers to cause a denial of service
     (infinite loop and soft lockup) via vectors involving a TCP packet with
     the URG flag (bnc#1026722).
   - CVE-2016-2117: The atl2_probe function in
     drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly
     enables scatter/gather I/O, which allowed remote attackers to obtain
     sensitive information from kernel memory by reading packet data
     (bnc#968697).
   - CVE-2016-10208: The ext4_fill_super function in fs/ext4/super.c in the
     Linux kernel did not properly validate meta block groups, which allowed
     physically proximate attackers to cause a denial of service
     (out-of-bounds read and system crash) via a crafted ext4 image
     (bnc#1023377).
   - CVE-2017-2596: The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c
     in the Linux kernel improperly emulates the VMXON instruction, which
     allowed KVM L1 guest OS users to cause a denial of service (host OS
     memory consumption) by leveraging the mishandling of page references
     (bnc#1022785).
   - CVE-2017-2583: The load_segment_descriptor implementation in
     arch/x86/kvm/emulate.c in the Linux kernel improperly emulates a "MOV
     SS, NULL selector" instruction, which allowed guest OS users to cause a
     denial of service (guest OS crash) or gain guest OS privileges via a
     crafted application (bnc#1020602).
   - CVE-2017-2584: arch/x86/kvm/emulate.c in the Linux kernel allowed local
     users to obtain sensitive information from kernel memory or cause a
     denial of service (use-after-free) via a crafted application that
     leverages instruction emulation for fxrstor, fxsave, sgdt, and sidt
     (bnc#1019851).

   The following non-security bugs were fixed:

   - Fix kABI breakage of musb struct in 4.1.39 (stable 4.1.39).
   - Revert "ptrace: Capture the ptracer's creds not PT_PTRACE_CAP" (stable
     4.1.39).
   - ext4: fix fencepost in s_first_meta_bg validation (bsc#1029986).
   - ext4: validate s_first_meta_bg at mount time (bsc#1023377).
   - kabi/severities: Ignore x86/kvm kABI changes for 4.1.39
   - l2tp: fix address test in __l2tp_ip6_bind_lookup() (bsc#1028415).
   - l2tp: fix lookup for sockets not bound to a device in l2tp_ip
     (bsc#1028415).
   - l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6 bind()
     (bsc#1028415).
   - l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()
     (bsc#1028415).
   - l2tp: lock socket before checking flags in connect() (bsc#1028415).
   - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp (bsc#1030118).


Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE Leap 42.1:

      zypper in -t patch openSUSE-2017-419=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - openSUSE Leap 42.1 (i586 x86_64):

      kernel-default-4.1.39-53.1
      kernel-default-base-4.1.39-53.1
      kernel-default-base-debuginfo-4.1.39-53.1
      kernel-default-debuginfo-4.1.39-53.1
      kernel-default-debugsource-4.1.39-53.1
      kernel-default-devel-4.1.39-53.1
      kernel-obs-build-4.1.39-53.1
      kernel-obs-build-debugsource-4.1.39-53.1
      kernel-obs-qa-4.1.39-53.1
      kernel-syms-4.1.39-53.1

   - openSUSE Leap 42.1 (i686 x86_64):

      kernel-debug-4.1.39-53.1
      kernel-debug-base-4.1.39-53.1
      kernel-debug-base-debuginfo-4.1.39-53.1
      kernel-debug-debuginfo-4.1.39-53.1
      kernel-debug-debugsource-4.1.39-53.1
      kernel-debug-devel-4.1.39-53.1
      kernel-debug-devel-debuginfo-4.1.39-53.1
      kernel-ec2-4.1.39-53.1
      kernel-ec2-base-4.1.39-53.1
      kernel-ec2-base-debuginfo-4.1.39-53.1
      kernel-ec2-debuginfo-4.1.39-53.1
      kernel-ec2-debugsource-4.1.39-53.1
      kernel-ec2-devel-4.1.39-53.1
      kernel-pv-4.1.39-53.1
      kernel-pv-base-4.1.39-53.1
      kernel-pv-base-debuginfo-4.1.39-53.1
      kernel-pv-debuginfo-4.1.39-53.1
      kernel-pv-debugsource-4.1.39-53.1
      kernel-pv-devel-4.1.39-53.1
      kernel-vanilla-4.1.39-53.1
      kernel-vanilla-debuginfo-4.1.39-53.1
      kernel-vanilla-debugsource-4.1.39-53.1
      kernel-vanilla-devel-4.1.39-53.1
      kernel-xen-4.1.39-53.1
      kernel-xen-base-4.1.39-53.1
      kernel-xen-base-debuginfo-4.1.39-53.1
      kernel-xen-debuginfo-4.1.39-53.1
      kernel-xen-debugsource-4.1.39-53.1
      kernel-xen-devel-4.1.39-53.1

   - openSUSE Leap 42.1 (noarch):

      kernel-devel-4.1.39-53.1
      kernel-docs-4.1.39-53.2
      kernel-docs-html-4.1.39-53.2
      kernel-docs-pdf-4.1.39-53.2
      kernel-macros-4.1.39-53.1
      kernel-source-4.1.39-53.1
      kernel-source-vanilla-4.1.39-53.1

   - openSUSE Leap 42.1 (i686):

      kernel-pae-4.1.39-53.1
      kernel-pae-base-4.1.39-53.1
      kernel-pae-base-debuginfo-4.1.39-53.1
      kernel-pae-debuginfo-4.1.39-53.1
      kernel-pae-debugsource-4.1.39-53.1
      kernel-pae-devel-4.1.39-53.1


References:

   https://www.suse.com/security/cve/CVE-2016-10200.html
   https://www.suse.com/security/cve/CVE-2016-10208.html
   https://www.suse.com/security/cve/CVE-2016-2117.html
   https://www.suse.com/security/cve/CVE-2017-2583.html
   https://www.suse.com/security/cve/CVE-2017-2584.html
   https://www.suse.com/security/cve/CVE-2017-2596.html
   https://www.suse.com/security/cve/CVE-2017-2636.html
   https://www.suse.com/security/cve/CVE-2017-5669.html
   https://www.suse.com/security/cve/CVE-2017-6214.html
   https://www.suse.com/security/cve/CVE-2017-6345.html
   https://www.suse.com/security/cve/CVE-2017-6346.html
   https://www.suse.com/security/cve/CVE-2017-6347.html
   https://www.suse.com/security/cve/CVE-2017-6348.html
   https://www.suse.com/security/cve/CVE-2017-6353.html
   https://www.suse.com/security/cve/CVE-2017-7184.html
   https://bugzilla.suse.com/1019851
   https://bugzilla.suse.com/1020602
   https://bugzilla.suse.com/1022785
   https://bugzilla.suse.com/1023377
   https://bugzilla.suse.com/1025235
   https://bugzilla.suse.com/1026722
   https://bugzilla.suse.com/1026914
   https://bugzilla.suse.com/1027066
   https://bugzilla.suse.com/1027178
   https://bugzilla.suse.com/1027179
   https://bugzilla.suse.com/1027189
   https://bugzilla.suse.com/1027190
   https://bugzilla.suse.com/1027565
   https://bugzilla.suse.com/1028415
   https://bugzilla.suse.com/1029986
   https://bugzilla.suse.com/1030118
   https://bugzilla.suse.com/1030573
   https://bugzilla.suse.com/968697

openSUSE: 2017:0906-1: important: the Linux Kernel

April 1, 2017

An update that solves 15 vulnerabilities and has three An update that solves 15 vulnerabilities and has three An update that solves 15 vulnerabilities and has three fixes is now av...

Description

===================================================================== Still left to do: - Check CVE descriptions. They need to be written in the past tense. They are processed automatically, THERE CAN BE ERRORS IN THERE! - Remove version numbers from the CVE descriptions - Check the capitalization of the subsystems, then sort again - For each CVE: Check the corresponding bug if everything is okay - If you remove CVEs or bugs: Do not forget to change the meta information - Determine which of the bugs after the CVE lines is the right one ===================================================================== The openSUSE Leap 42.1 kernel was updated to 4.1.39 to receive various security and bugfixes. The following security bugs were fixed: - CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel did not restrict the address calculated by a certain rounding operation, which allowed local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context (bnc#1026914). - CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel improperly manages lock dropping, which allowed local users to cause a denial of service (deadlock) via crafted operations on IrDA devices (bnc#1027178). - CVE-2017-7184: The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size data after an XFRM_MSG_NEWAE update, which allowed local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 4.8.0.41.52 (bnc#1030573). - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (bnc#1028415). - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline (bnc#1027565). - CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that a certain destructor exists in required circumstances, which allowed local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls (bnc#1027190). - CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux kernel allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that made PACKET_FANOUT setsockopt system calls (bnc#1027189). - CVE-2017-6347: The ip_cmsg_recv_checksum function in net/ipv4/ip_sockglue.c in the Linux kernel has incorrect expectations about skb data layout, which allowed local users to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted system calls, as demonstrated by use of the MSG_MORE flag in conjunction with loopback UDP transmission (bnc#1027179). - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (bnc#1025235). - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (bnc#1026722). - CVE-2016-2117: The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly enables scatter/gather I/O, which allowed remote attackers to obtain sensitive information from kernel memory by reading packet data (bnc#968697). - CVE-2016-10208: The ext4_fill_super function in fs/ext4/super.c in the Linux kernel did not properly validate meta block groups, which allowed physically proximate attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image (bnc#1023377). - CVE-2017-2596: The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel improperly emulates the VMXON instruction, which allowed KVM L1 guest OS users to cause a denial of service (host OS memory consumption) by leveraging the mishandling of page references (bnc#1022785). - CVE-2017-2583: The load_segment_descriptor implementation in arch/x86/kvm/emulate.c in the Linux kernel improperly emulates a "MOV SS, NULL selector" instruction, which allowed guest OS users to cause a denial of service (guest OS crash) or gain guest OS privileges via a crafted application (bnc#1020602). - CVE-2017-2584: arch/x86/kvm/emulate.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free) via a crafted application that leverages instruction emulation for fxrstor, fxsave, sgdt, and sidt (bnc#1019851). The following non-security bugs were fixed: - Fix kABI breakage of musb struct in 4.1.39 (stable 4.1.39). - Revert "ptrace: Capture the ptracer's creds not PT_PTRACE_CAP" (stable 4.1.39). - ext4: fix fencepost in s_first_meta_bg validation (bsc#1029986). - ext4: validate s_first_meta_bg at mount time (bsc#1023377). - kabi/severities: Ignore x86/kvm kABI changes for 4.1.39 - l2tp: fix address test in __l2tp_ip6_bind_lookup() (bsc#1028415). - l2tp: fix lookup for sockets not bound to a device in l2tp_ip (bsc#1028415). - l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6 bind() (bsc#1028415). - l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv() (bsc#1028415). - l2tp: lock socket before checking flags in connect() (bsc#1028415). - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp (bsc#1030118).

Patch

Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.1: zypper in -t patch openSUSE-2017-419=1 To bring your system up-to-date, use "zypper patch".

Package List

- openSUSE Leap 42.1 (i586 x86_64): kernel-default-4.1.39-53.1 kernel-default-base-4.1.39-53.1 kernel-default-base-debuginfo-4.1.39-53.1 kernel-default-debuginfo-4.1.39-53.1 kernel-default-debugsource-4.1.39-53.1 kernel-default-devel-4.1.39-53.1 kernel-obs-build-4.1.39-53.1 kernel-obs-build-debugsource-4.1.39-53.1 kernel-obs-qa-4.1.39-53.1 kernel-syms-4.1.39-53.1 - openSUSE Leap 42.1 (i686 x86_64): kernel-debug-4.1.39-53.1 kernel-debug-base-4.1.39-53.1 kernel-debug-base-debuginfo-4.1.39-53.1 kernel-debug-debuginfo-4.1.39-53.1 kernel-debug-debugsource-4.1.39-53.1 kernel-debug-devel-4.1.39-53.1 kernel-debug-devel-debuginfo-4.1.39-53.1 kernel-ec2-4.1.39-53.1 kernel-ec2-base-4.1.39-53.1 kernel-ec2-base-debuginfo-4.1.39-53.1 kernel-ec2-debuginfo-4.1.39-53.1 kernel-ec2-debugsource-4.1.39-53.1 kernel-ec2-devel-4.1.39-53.1 kernel-pv-4.1.39-53.1 kernel-pv-base-4.1.39-53.1 kernel-pv-base-debuginfo-4.1.39-53.1 kernel-pv-debuginfo-4.1.39-53.1 kernel-pv-debugsource-4.1.39-53.1 kernel-pv-devel-4.1.39-53.1 kernel-vanilla-4.1.39-53.1 kernel-vanilla-debuginfo-4.1.39-53.1 kernel-vanilla-debugsource-4.1.39-53.1 kernel-vanilla-devel-4.1.39-53.1 kernel-xen-4.1.39-53.1 kernel-xen-base-4.1.39-53.1 kernel-xen-base-debuginfo-4.1.39-53.1 kernel-xen-debuginfo-4.1.39-53.1 kernel-xen-debugsource-4.1.39-53.1 kernel-xen-devel-4.1.39-53.1 - openSUSE Leap 42.1 (noarch): kernel-devel-4.1.39-53.1 kernel-docs-4.1.39-53.2 kernel-docs-html-4.1.39-53.2 kernel-docs-pdf-4.1.39-53.2 kernel-macros-4.1.39-53.1 kernel-source-4.1.39-53.1 kernel-source-vanilla-4.1.39-53.1 - openSUSE Leap 42.1 (i686): kernel-pae-4.1.39-53.1 kernel-pae-base-4.1.39-53.1 kernel-pae-base-debuginfo-4.1.39-53.1 kernel-pae-debuginfo-4.1.39-53.1 kernel-pae-debugsource-4.1.39-53.1 kernel-pae-devel-4.1.39-53.1

References

https://www.suse.com/security/cve/CVE-2016-10200.html https://www.suse.com/security/cve/CVE-2016-10208.html https://www.suse.com/security/cve/CVE-2016-2117.html https://www.suse.com/security/cve/CVE-2017-2583.html https://www.suse.com/security/cve/CVE-2017-2584.html https://www.suse.com/security/cve/CVE-2017-2596.html https://www.suse.com/security/cve/CVE-2017-2636.html https://www.suse.com/security/cve/CVE-2017-5669.html https://www.suse.com/security/cve/CVE-2017-6214.html https://www.suse.com/security/cve/CVE-2017-6345.html https://www.suse.com/security/cve/CVE-2017-6346.html https://www.suse.com/security/cve/CVE-2017-6347.html https://www.suse.com/security/cve/CVE-2017-6348.html https://www.suse.com/security/cve/CVE-2017-6353.html https://www.suse.com/security/cve/CVE-2017-7184.html https://bugzilla.suse.com/1019851 https://bugzilla.suse.com/1020602 https://bugzilla.suse.com/1022785 https://bugzilla.suse.com/1023377 https://bugzilla.suse.com/1025235 https://bugzilla.suse.com/1026722 https://bugzilla.suse.com/1026914 https://bugzilla.suse.com/1027066 https://bugzilla.suse.com/1027178 https://bugzilla.suse.com/1027179 https://bugzilla.suse.com/1027189 https://bugzilla.suse.com/1027190 https://bugzilla.suse.com/1027565 https://bugzilla.suse.com/1028415 https://bugzilla.suse.com/1029986 https://bugzilla.suse.com/1030118 https://bugzilla.suse.com/1030573 https://bugzilla.suse.com/968697