The SUSE Linux Enterprise 12 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-1068: Fixed flaw in the implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory (bnc#1085107). - CVE-2017-18221: The __munlock_pagevec function allowed local users to cause a denial of service (NR_MLOCK accounting corruption) via crafted use of mlockall and munlockall system calls (bnc#1084323). - CVE-2018-1066: Prevent NULL pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allowed an attacker controlling a CIFS server to kernel panic a client that has this server mounted, because an empty TargetInfo field in an NTLMSSP setup negotiation response was mishandled during session recovery (bnc#1083640). - CVE-2017-13166: Prevent elevation of privilege vulnerability in the kernel v4l2 video driver (bnc#1072865). - CVE-2017-16911: The vhci_hcd driver allowed local attackers to disclose kernel memory addresses. Successful exploitation required that a USB device was attached over IP (bnc#1078674). - CVE-2017-15299: The KEYS subsystem mishandled use of add_key for a key that already exists but is uninstantiated, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted system call (bnc#1063416). - CVE-2017-18208: The madvise_willneed function kernel allowed local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping (bnc#1083494). - CVE-2018-7566: The ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. A user could have reset the pool size manually via ioctl concurrently, which may have lead UAF or out-of-bound access (bsc#1083483). - CVE-2017-18204: The ocfs2_setattr function allowed local users to cause a denial of service (deadlock) via DIO requests (bnc#1083244). - CVE-2017-16644: The hdpvr_probe function allowed local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067118). - CVE-2018-6927: The futex_requeue function allowed attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value (bnc#1080757). - CVE-2017-16914: The 'stub_send_ret_submit()' function allowed attackers to cause a denial of service (NULL pointer dereference) via a specially crafted USB over IP packet (bnc#1078669). - CVE-2016-7915: The hid_input_field function allowed physically proximate attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) by connecting a device (bnc#1010470). - CVE-2017-12190: The bio_map_user_iov and bio_unmap_user functions did unbalanced refcounting when a SCSI I/O vector had small consecutive buffers belonging to the same page. The bio_add_pc_page function merged them into one, but the page reference was never dropped. This caused a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition (bnc#1062568). - CVE-2017-16912: The 'get_pipe()' function allowed attackers to cause a denial of service (out-of-bounds read) via a specially crafted USB over IP packet (bnc#1078673). - CVE-2017-16913: The 'stub_recv_cmd_submit()' function when handling CMD_SUBMIT packets allowed attackers to cause a denial of service (arbitrary memory allocation) via a specially crafted USB over IP packet (bnc#1078672). - CVE-2018-5332: The rds_message_alloc_sgs() function did not validate a value that is used during DMA page allocation, leading to a heap-based out-of-bounds write (related to the rds_rdma_extra_size function in net/rds/rdma.c) (bnc#1075621). - CVE-2018-5333: The rds_cmsg_atomic function in net/rds/rdma.c mishandled cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference (bnc#1075617). - CVE-2017-18017: The tcpmss_mangle_packet function allowed remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action (bnc#1074488).
The following non-security bugs were fixed:
- Fix build on arm64 by defining empty gmb() (bnc#1068032). - KEYS: do not let add_key() update an uninstantiated key (bnc#1063416). - KEYS: fix writing past end of user-supplied buffer in keyring_read() (bsc#1066001). - KEYS: return full count in keyring_read() if buffer is too small (bsc#1066001). - include/stddef.h: Move offsetofend() from vfio.h to a generic kernel header (bsc#1077560). - ipc/msg: introduce msgctl(MSG_STAT_ANY) (bsc#1072689). - ipc/sem: introduce semctl(SEM_STAT_ANY) (bsc#1072689). - ipc/shm: introduce shmctl(SHM_STAT_ANY) (bsc#1072689). - x86/kaiser: use trampoline stack for kernel entry (bsc#1077560) - leds: do not overflow sysfs buffer in led_trigger_show (bsc#1080464). - livepatch: __kgr_shadow_get_or_alloc() is local to shadow.c. Shadow variables support (bsc#1082299). - livepatch: introduce shadow variable API. Shadow variables support (bsc#1082299) - media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF (bnc#1012382). - media: v4l2-compat-ioctl32.c: avoid sizeof(type) (bnc#1012382). - media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32 (bnc#1012382). - media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32 (bnc#1012382). - media: v4l2-compat-ioctl32.c: do not copy back the result for certain errors (bnc#1012382). - media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type (bnc#1012382). - media: v4l2-compat-ioctl32.c: fix the indentation (bnc#1012382). - media: v4l2-compat-ioctl32.c: move 'helper' functions to __get/put_v4l2_format32 (bnc#1012382). - media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha (bnc#1012382). - media: v4l2-ioctl.c: do not copy back the result for -ENOTTY (bnc#1012382). - netfilter: ebtables: CONFIG_COMPAT: do not trust userland offsets (bsc#1085107). - netfilter: ebtables: fix erroneous reject of last rule (bsc#1085107). - packet: only call dev_add_pack() on freshly allocated fanout instances - pipe: cap initial pipe capacity according to pipe-max-size limit (bsc#1045330). - x86/espfix: Fix return stack in do_double_fault() (bsc#1085279).
openSUSE Leap 15.0 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 11 SP3 SUSE Linux Enterprise Desktop 11 SP4 SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Desktop 12 SP4 SUSE Linux Enterprise Module for Basesystem 15 SUSE Linux Enterprise Module for Basesystem 15 SP1 SUSE Linux Enterprise Module for Live Patching 15 SUSE Linux Enterprise Module for Public Cloud 12 SUSE Linux Enterprise Module for Public Cloud 15 SUSE Linux Enterprise Module for Web Scripting 12 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP1-LTSS SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP2-BCL SUSE Linux Enterprise Server 12 SP2-ESPOS SUSE Linux Enterprise Server 12 SP2-LTSS SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP3-BCL SUSE Linux Enterprise Server 12 SP3-ESPOS SUSE Linux Enterprise Server 12 SP3-LTSS SUSE Linux Enterprise Server 12 SP3-TERADATA SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server 12-LTSS SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP1-LTSS SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP2-BCL SUSE Linux Enterprise Server for SAP Applications 12 SP2-ESPOS SUSE Linux Enterprise Server for SAP Applications 12 SP2-LTSS SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP3-BCL SUSE Linux Enterprise Server for SAP Applications 12 SP3-ESPOS SUSE Linux Enterprise Server for SAP Applications 12 SP3-LTSS SUSE Linux Enterprise Server for SAP Applications 12 SP3-TERADATA SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12-LTSS SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Workstation Extension 12 SP1 SUSE Linux Enterprise Workstation Extension 12 SP3 SUSE Linux Enterprise Workstation Extension 12 SP4 SUSE Linux Enterprise Workstation Extension 15 SUSE Linux Enterprise Workstation Extension 15 SP1 SUSE OpenStack Cloud 5 SUSE OpenStack Cloud 7