| Description: |
The SUSE Linux Enterprise 12 SP3 Teradata Kernel was updated to fix bugs and security issues.
The following security bugs were fixed:
- CVE-2019-2024: A use-after-free when disconnecting a source was fixed which could lead to crashes (bsc#1129179) - CVE-2019-9213: In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task (bsc#1128166) - CVE-2018-14633: A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. (bsc#1107829) - CVE-2019-7221: A use after free issue was found in the way Linux kernel's KVM hypervisor emulates a preemption timer for L2 guest when nested(=1) virtualization is enabled. This high resolution timer(hrtimer) runs when L2 guest is active. (bsc#1124732) - CVE-2019-7222: An information leakage issue was found in the way Linux kernel's KVM hypervisor handled page fault exception while emulating instructions like VMXON, VMCLEAR, VMPTRLD, VMWRITE with memory address as an operand. It occurs if the operand is an mmio address, as the returned exception object holds uninitialised stack memory contents. (bsc#1124735) - CVE-2019-6974: A use after free issue was found in the way Linux kernel's KVM hypervisor implements its device control API. While creating a device via kvm_ioctl_create_device(), device holds a reference to a VM object, latter this reference is transferred to caller's file descriptor table. If such file descriptor was to be closed, reference count to the VM object could become zero, potentially leading to use-after-free issue latter (bsc#1124728) - CVE-2019-3459, CVE-2019-3460: The Bluetooth stack suffered from two remote information leak vulnerabilities in the code that handles incoming L2cap configuration packets (bsc#1120758) - CVE-2018-19985: The function hso_probe reads if_num from the USB device (as an u8) and uses it without a length check to index an array, resulting in an OOB memory read in hso_probe or hso_get_config_data. Add a length check for both locations and updated hso_probe to bail on error (bsc#1120743) - CVE-2017-16939: The XFRM dump policy implementation in net/xfrm/xfrm_user.c allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages (bsc#1069702) - CVE-2018-16884: NFS41+ shares mounted in different network namespaces at the same time could make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out (bsc#1119946) - CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c (bsc#1119714) - CVE-2018-16862: A security flaw was found in a way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one (bsc#1117186) - CVE-2018-1120: An attacker can block any read() access to /proc/PID/cmdline by mmap()ing a FUSE file (Filesystem in Userspace) onto this process's command-line arguments. The attacker can therefore block pgrep, pidof, pkill, ps, and w, either forever (a denial of service), or for some controlled time (a synchronization tool for exploiting other vulnerabilities). (bsc#1093158) - CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized. (bsc#1116841) - CVE-2018-19824: If a USB sound card reports 0 interfaces, an error condition is triggered and the function usb_audio_probe errors out. In the error path, there was a use-after-free vulnerability where the memory object of the card was first freed, followed by a decrement of the number of active chips. Moving the decrement above the atomic_dec fixes the UAF. (bsc#1118152) - CVE-2017-18344: The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel before 4.14.8 doesn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE). (bsc#1102851) - CVE-2018-9568: Transforming an IPv6-socket to an IPv4, and then transforming it back to a listening socket could resolut in a kernel memory corruption. (bsc#1118319)
The following non-security bugs were fixed:
- x86: Add TSX Force Abort CPUID/MSR (bsc#1121805) - pseries/energy: Use OF accessor function to read ibm,drc-indexes (bsc#1129080) - copy_mount_string: Limit string length to PATH_MAX (bsc#1082943) - powerpc/boot: Request no dynamic linker for boot wrapper (bsc#1070805) - ibmvscsi: Fix empty event pool access during host removal (bsc#1119019)
|