openSUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________
Announcement ID: openSUSE-SU-2017:2905-1
Rating: important
References: #1012382 #1020645 #1022595 #1022600 #1025461
#1028971 #1034048 #1055567 #1056427 #1059863
#1060985 #1061451 #1062520 #1062962 #1063460
#1063475 #1063501 #1063509 #1063520 #1063667
#1063695 #1064206 #1064388 #964944 #966170
#966172 #966186 #966191 #966316 #966318 #969474
#969475 #969476 #969477 #971975
Cross-References: CVE-2017-13080 CVE-2017-15265 CVE-2017-15649
Affected Products:
openSUSE Leap 42.2
______________________________________________________________________________
An update that solves three vulnerabilities and has 32
fixes is now available.
Description:
The openSUSE Leap 42.2 kernel was updated to 4.4.92 to receive various
security and bugfixes.
The following security bugs were fixed:
– CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed
reinstallation of the Group Temporal Key (GTK) during the group key
handshake, allowing an attacker within radio range to replay frames from
access points to clients (bnc#1063667).
– CVE-2017-15265: Race condition in the ALSA subsystem in the Linux kernel
allowed local users to cause a denial of service (use-after-free) or
possibly have unspecified other impact via crafted /dev/snd/seq ioctl
calls, related to sound/core/seq/seq_clientmgr.c and
sound/core/seq/seq_ports.c (bnc#1062520).
– CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local
users to gain privileges via crafted system calls that trigger
mishandling of packet_fanout data structures, because of a race
condition (involving fanout_add and packet_do_bind) that leads to a
use-after-free, a different vulnerability than CVE-2017-6346
(bnc#1064388).
The following non-security bugs were fixed:
– alsa: au88x0: avoid theoretical uninitialized access (bnc#1012382).
– alsa: compress: Remove unused variable (bnc#1012382).
– alsa: usb-audio: Check out-of-bounds access by corrupted buffer
descriptor (bnc#1012382).
– alsa: usx2y: Suppress kernel warning at page allocation failures
(bnc#1012382).
– arm: 8635/1: nommu: allow enabling REMAP_VECTORS_TO_RAM (bnc#1012382).
– arm: dts: r8a7790: Use R-Car Gen 2 fallback binding for msiof nodes
(bnc#1012382).
– arm: remove duplicate ‘const’ annotations’ (bnc#1012382).
– asoc: dapm: fix some pointer error handling (bnc#1012382).
– asoc: dapm: handle probe deferrals (bnc#1012382).
– audit: log 32-bit socketcalls (bnc#1012382).
– blacklist 0e7736c6b806 powerpc/powernv: Fix data type for @r in
pnv_ioda_parse_m64_window()
– blacklist.conf: not fitting cleanup patch
– brcmfmac: setup passive scan if requested by user-space (bnc#1012382).
– bridge: netlink: register netdevice before executing changelink
(bnc#1012382).
– ceph: avoid panic in create_session_open_msg() if utsname() returns NULL
(bsc#1061451).
– ceph: check negative offsets in ceph_llseek() (bsc#1061451).
– driver core: platform: Do not read past the end of “driver_override”
buffer (bnc#1012382).
– drivers: firmware: psci: drop duplicate const from psci_of_match
(bnc#1012382).
– drivers: hv: fcopy: restore correct transfer length (bnc#1012382).
– drm/amdkfd: fix improper return value on error (bnc#1012382).
– drm: bridge: add DT bindings for TI ths8135 (bnc#1012382).
– drm_fourcc: Fix DRM_FORMAT_MOD_LINEAR #define (bnc#1012382).
– drm/i915/bios: ignore HDMI on port A (bnc#1012382).
– ext4: do not allow encrypted operations without keys (bnc#1012382).
– extcon: axp288: Use vbus-valid instead of -present to determine cable
presence (bnc#1012382).
– exynos-gsc: Do not swap cb/cr for semi planar formats (bnc#1012382).
– fix whitespace according to upstream commit
– fs/epoll: cache leftmost node (bsc#1056427).
– ftrace: Fix kmemleak in unregister_ftrace_graph (bnc#1012382).
– gfs2: Fix reference to ERR_PTR in gfs2_glock_iter_next (bnc#1012382).
– hid: i2c-hid: allocate hid buffers for real worst case (bnc#1012382).
– hpsa: correct lun data caching bitmap definition (bsc#1028971).
– hwmon: (gl520sm) Fix overflows and crash seen when writing into limit
attributes (bnc#1012382).
– i2c: meson: fix wrong variable usage in meson_i2c_put_data (bnc#1012382).
– i40e: Initialize 64-bit statistics TX ring seqcount (bsc#969476
FATE#319648 bsc#969477 FATE#319816).
– i40iw: Add missing memory barriers (bsc#969476 FATE#319648 bsc#969477
FATE#319816).
– i40iw: Fix port number for query QP (bsc#969476 FATE#319648 bsc#969477
FATE#319816).
– ib/core: Fix for core panic (bsc#1022595 FATE#322350).
– ib/core: Fix the validations of a multicast LID in attach or detach
operations (bsc#1022595 FATE#322350).
– ib/i40iw: Fix error code in i40iw_create_cq() (bsc#969476 FATE#319648
bsc#969477 FATE#319816).
– ib/ipoib: Fix deadlock over vlan_mutex (bnc#1012382).
– ib/ipoib: Replace list_del of the neigh->list with list_del_init
(bnc#1012382).
– ib/ipoib: rtnl_unlock can not come after free_netdev (bnc#1012382).
– ib/mlx5: Fix Raw Packet QP event handler assignment (bsc#966170
FATE#320225 bsc#966172 FATE#320226).
– ibmvnic: Set state UP (bsc#1062962).
– ib/qib: fix false-postive maybe-uninitialized warning (bnc#1012382).
– igb: re-assign hw address pointer on reset after PCI error (bnc#1012382).
– iio: ad7793: Fix the serial interface reset (bnc#1012382).
– iio: adc: axp288: Drop bogus AXP288_ADC_TS_PIN_CTRL register
modifications (bnc#1012382).
– iio: adc: hx711: Add DT binding for avia,hx711 (bnc#1012382).
– iio: adc: mcp320x: Fix oops on module unload (bnc#1012382).
– iio: adc: mcp320x: Fix readout of negative voltages (bnc#1012382).
– iio: adc: twl4030: Disable the vusb3v1 rugulator in the error handling
path of ‘twl4030_madc_probe()’ (bnc#1012382).
– iio: adc: twl4030: Fix an error handling path in ‘twl4030_madc_probe()’
(bnc#1012382).
– iio: ad_sigma_delta: Implement a dedicated reset function (bnc#1012382).
– iio: core: Return error for failed read_reg (bnc#1012382).
– iommu/io-pgtable-arm: Check for leaf entry before dereferencing it
(bnc#1012382).
– iwlwifi: add workaround to disable wide channels in 5GHz (bnc#1012382).
– ixgbe: Fix incorrect bitwise operations of PTP Rx timestamp flags
(bsc#969474 FATE#319812 bsc#969475 FATE#319814).
– kABI: protect struct rm_data_op (kabi).
– kABI: protect struct sdio_func (kabi).
– libata: transport: Remove circular dependency at free time (bnc#1012382).
– lsm: fix smack_inode_removexattr and xattr_getsecurity memleak
(bnc#1012382).
– md/raid10: submit bio directly to replacement disk (bnc#1012382).
– mips: Ensure bss section ends on a long-aligned address (bnc#1012382).
– mips: Fix minimum alignment requirement of IRQ stack (git-fixes).
– mips: IRQ Stack: Unwind IRQ stack onto task stack (bnc#1012382).
– mips: Lantiq: Fix another request_mem_region() return code check
(bnc#1012382).
– mips: ralink: Fix incorrect assignment on ralink_soc (bnc#1012382).
– mlx5: Avoid that mlx5_ib_sg_to_klms() overflows the klms array
(bsc#966170 FATE#320225 bsc#966172 FATE#320226).
– mm/backing-dev.c: fix an error handling path in ‘cgwb_create()’
(bnc#1063475).
– mm,compaction: serialize waitqueue_active() checks (for real)
(bsc#971975).
– mmc: sdio: fix alignment issue in struct sdio_func (bnc#1012382).
– mm: discard memblock data later (bnc#1063460).
– mm/memblock.c: reversed logic in memblock_discard() (bnc#1063460).
– mm: meminit: mark init_reserved_page as __meminit (bnc#1063509).
– mm/memory_hotplug: change pfn_to_section_nr/section_nr_to_pfn macro to
inline function (bnc#1063501).
– mm/memory_hotplug: define find_{smallest|biggest}_section_pfn as
unsigned long (bnc#1063520).
– net: core: Prevent from dereferencing null pointer when releasing SKB
(bnc#1012382).
– netfilter: invoke synchronize_rcu after set the _hook_ to NULL
(bnc#1012382).
– netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max
(bnc#1012382).
– net/mlx4_core: Enable 4K UAR if SRIOV module parameter is not enabled
(bsc#966191 FATE#320230 bsc#966186 FATE#320228).
– net/mlx5e: Fix wrong delay calculation for overflow check scheduling
(bsc#966170 FATE#320225 bsc#966172 FATE#320226).
– net/mlx5e: Schedule overflow check work to mlx5e workqueue (bsc#966170
FATE#320225 bsc#966172 FATE#320226).
– net/mlx5: Skip mlx5_unload_one if mlx5_load_one fails (bsc#966170
FATE#320225 bsc#966172 FATE#320226).
– net/packet: check length in getsockopt() called with PACKET_HDRLEN
(bnc#1012382).
– nvme: protect against simultaneous shutdown invocations (FATE#319965
bnc#1012382 bsc#964944).
– parisc: perf: Fix potential NULL pointer dereference (bnc#1012382).
– partitions/efi: Fix integer overflow in GPT size calculation
(bnc#1012382).
– qed: Fix stack corruption on probe (bsc#966318 FATE#320158 bsc#966316
FATE#320159).
– rds: ib: add error handle (bnc#1012382).
– rds: RDMA: Fix the composite message user notification (bnc#1012382).
– README.BRANCH: Add Michal and Johannes as co-maintainers.
– sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs (bnc#1012382).
– scsi: hpsa: add ‘ctlr_num’ sysfs attribute (bsc#1028971).
– scsi: hpsa: bump driver version (bsc#1022600 fate#321928).
– scsi: hpsa: change driver version (bsc#1022600 bsc#1028971 fate#321928).
– scsi: hpsa: Check for null device pointers (bsc#1028971).
– scsi: hpsa: Check for null devices in ioaccel (bsc#1028971).
– scsi: hpsa: Check for vpd support before sending (bsc#1028971).
– scsi: hpsa: cleanup reset handler (bsc#1022600 fate#321928).
– scsi: hpsa: correct call to hpsa_do_reset (bsc#1028971).
– scsi: hpsa: correct logical resets (bsc#1028971).
– scsi: hpsa: correct queue depth for externals (bsc#1022600 fate#321928).
– scsi: hpsa: correct resets on retried commands (bsc#1022600 fate#321928).
– scsi: hpsa: correct scsi 6byte lba calculation (bsc#1028971).
– scsi: hpsa: Determine device external status earlier (bsc#1028971).
– scsi: hpsa: do not get enclosure info for external devices (bsc#1022600
fate#321928).
– scsi: hpsa: do not reset enclosures (bsc#1022600 fate#321928).
– scsi: hpsa: do not timeout reset operations (bsc#1022600 bsc#1028971
fate#321928).
– scsi: hpsa: fallback to use legacy REPORT PHYS command (bsc#1028971).
– scsi: hpsa: fix volume offline state (bsc#1022600 bsc#1028971
fate#321928).
– scsi: hpsa: limit outstanding rescans (bsc#1022600 bsc#1028971
fate#321928).
– scsi: hpsa: Prevent sending bmic commands to externals (bsc#1028971).
– scsi: hpsa: remove abort handler (bsc#1022600 fate#321928).
– scsi: hpsa: remove coalescing settings for ioaccel2 (bsc#1028971).
– scsi: hpsa: remove memory allocate failure message (bsc#1028971).
– scsi: hpsa: Remove unneeded void pointer cast (bsc#1028971).
– scsi: hpsa: rescan later if reset in progress (bsc#1022600 fate#321928).
– scsi: hpsa: send ioaccel requests with 0 length down raid path
(bsc#1022600 fate#321928).
– scsi: hpsa: separate monitor events from rescan worker (bsc#1022600
fate#321928).
– scsi: hpsa: update check for logical volume status (bsc#1022600
bsc#1028971 fate#321928).
– scsi: hpsa: update identify physical device structure (bsc#1022600
fate#321928).
– scsi: hpsa: update pci ids (bsc#1022600 bsc#1028971 fate#321928).
– scsi: hpsa: update reset handler (bsc#1022600 fate#321928).
– scsi: hpsa: use designated initializers (bsc#1028971).
– scsi: hpsa: use %phN for short hex dumps (bsc#1028971).
– scsi: libfc: fix a deadlock in fc_rport_work (bsc#1063695).
– scsi: sd: Do not override max_sectors_kb sysfs setting (bsc#1025461).
– scsi: sd: Remove LBPRZ dependency for discards (bsc#1060985). This patch
is originally part of a larger series which can’t be easily backported
to SLE-12. For a reasoning why we think it’s safe to apply, see
bsc#1060985, comment 20.
– scsi: sg: close race condition in sg_remove_sfp_usercontext()
(bsc#1064206).
– sh_eth: use correct name for ECMR_MPDE bit (bnc#1012382).
– staging: iio: ad7192: Fix – use the dedicated reset function avoiding
dma from stack (bnc#1012382).
– stm class: Fix a use-after-free (bnc#1012382).
– supported.conf: mark hid-multitouch as supported (FATE#323670)
– team: call netdev_change_features out of team lock (bsc#1055567).
– team: fix memory leaks (bnc#1012382).
– tpm_tis: Do not fall back to a hardcoded address for TPM2 (bsc#1020645,
fate#321435, fate#321507, fate#321600, bsc#1034048).
– ttpci: address stringop overflow warning (bnc#1012382).
– tty: goldfish: Fix a parameter of a call to free_irq (bnc#1012382).
– usb: chipidea: vbus event may exist before starting gadget (bnc#1012382).
– usb: core: harden cdc_parse_cdc_header (bnc#1012382).
– usb: devio: Do not corrupt user memory (bnc#1012382).
– usb: dummy-hcd: fix connection failures (wrong speed) (bnc#1012382).
– usb: dummy-hcd: Fix erroneous synchronization change (bnc#1012382).
– usb: dummy-hcd: fix infinite-loop resubmission bug (bnc#1012382).
– usb: fix out-of-bounds in usb_set_configuration (bnc#1012382).
– usb: gadgetfs: fix copy_to_user while holding spinlock (bnc#1012382).
– usb: gadgetfs: Fix crash caused by inadequate synchronization
(bnc#1012382).
– usb: gadget: inode.c: fix unbalanced spin_lock in ep0_write
(bnc#1012382).
– usb: gadget: mass_storage: set msg_registered after msg registered
(bnc#1012382).
– usb: gadget: udc: atmel: set vbus irqflags explicitly (bnc#1012382).
– usb: g_mass_storage: Fix deadlock when driver is unbound (bnc#1012382).
– usb: Increase quirk delay for USB devices (bnc#1012382).
– usb: pci-quirks.c: Corrected timeout values used in handshake
(bnc#1012382).
– usb: plusb: Add support for PL-27A1 (bnc#1012382).
– usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe
(bnc#1012382).
– usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction
(bnc#1012382).
– usb: serial: mos7720: fix control-message error handling (bnc#1012382).
– usb: serial: mos7840: fix control-message error handling (bnc#1012382).
– usb-storage: unusual_devs entry to fix write-access regression for
Seagate external drives (bnc#1012382).
– usb: uas: fix bug in handling of alternate settings (bnc#1012382).
– uwb: ensure that endpoint is interrupt (bnc#1012382).
– uwb: properly check kthread_run return value (bnc#1012382).
– xfs: handle error if xfs_btree_get_bufs fails (bsc#1059863).
– xfs: remove kmem_zalloc_greedy (bnc#1012382).
– xhci: fix finding correct bus_state structure for USB 3.1 hosts
(bnc#1012382).
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
– openSUSE Leap 42.2:
zypper in -t patch openSUSE-2017-1224=1
To bring your system up-to-date, use “zypper patch”.
Package List:
– openSUSE Leap 42.2 (noarch):
kernel-devel-4.4.92-18.36.1
kernel-docs-4.4.92-18.36.2
kernel-docs-html-4.4.92-18.36.2
kernel-docs-pdf-4.4.92-18.36.2
kernel-macros-4.4.92-18.36.1
kernel-source-4.4.92-18.36.1
kernel-source-vanilla-4.4.92-18.36.1
– openSUSE Leap 42.2 (x86_64):
kernel-debug-4.4.92-18.36.1
kernel-debug-base-4.4.92-18.36.1
kernel-debug-base-debuginfo-4.4.92-18.36.1
kernel-debug-debuginfo-4.4.92-18.36.1
kernel-debug-debugsource-4.4.92-18.36.1
kernel-debug-devel-4.4.92-18.36.1
kernel-debug-devel-debuginfo-4.4.92-18.36.1
kernel-default-4.4.92-18.36.1
kernel-default-base-4.4.92-18.36.1
kernel-default-base-debuginfo-4.4.92-18.36.1
kernel-default-debuginfo-4.4.92-18.36.1
kernel-default-debugsource-4.4.92-18.36.1
kernel-default-devel-4.4.92-18.36.1
kernel-obs-build-4.4.92-18.36.1
kernel-obs-build-debugsource-4.4.92-18.36.1
kernel-obs-qa-4.4.92-18.36.1
kernel-syms-4.4.92-18.36.1
kernel-vanilla-4.4.92-18.36.1
kernel-vanilla-base-4.4.92-18.36.1
kernel-vanilla-base-debuginfo-4.4.92-18.36.1
kernel-vanilla-debuginfo-4.4.92-18.36.1
kernel-vanilla-debugsource-4.4.92-18.36.1
kernel-vanilla-devel-4.4.92-18.36.1
References:
https://www.suse.com/security/cve/CVE-2017-13080.html
https://www.suse.com/security/cve/CVE-2017-15265.html
https://www.suse.com/security/cve/CVE-2017-15649.html
https://bugzilla.suse.com/1012382
https://bugzilla.suse.com/1020645
https://bugzilla.suse.com/1022595
https://bugzilla.suse.com/1022600
https://bugzilla.suse.com/1025461
https://bugzilla.suse.com/1028971
https://bugzilla.suse.com/1034048
https://bugzilla.suse.com/1055567
https://bugzilla.suse.com/1056427
https://bugzilla.suse.com/1059863
https://bugzilla.suse.com/1060985
https://bugzilla.suse.com/1061451
https://bugzilla.suse.com/1062520
https://bugzilla.suse.com/1062962
https://bugzilla.suse.com/1063460
https://bugzilla.suse.com/1063475
https://bugzilla.suse.com/1063501
https://bugzilla.suse.com/1063509
https://bugzilla.suse.com/1063520
https://bugzilla.suse.com/1063667
https://bugzilla.suse.com/1063695
https://bugzilla.suse.com/1064206
https://bugzilla.suse.com/1064388
https://bugzilla.suse.com/964944
https://bugzilla.suse.com/966170
https://bugzilla.suse.com/966172
https://bugzilla.suse.com/966186
https://bugzilla.suse.com/966191
https://bugzilla.suse.com/966316
https://bugzilla.suse.com/966318
https://bugzilla.suse.com/969474
https://bugzilla.suse.com/969475
https://bugzilla.suse.com/969476
https://bugzilla.suse.com/969477
https://bugzilla.suse.com/971975
—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org