SUSE-SU-2019:1823-2

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2019/suse-su-20191823-2/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2019:1823-2.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2019:1823-2
Related
Published
2019-07-15T05:40:50Z
Modified
2019-07-15T05:40:50Z
Summary
Security update for the Linux Kernel
Details

The SUSE Linux Enterprise 12 SP 2 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

  • CVE-2019-10638: In the Linux kernel, a device could be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic was sent to multiple destination IP addresses, it was possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). An attack may be conducted by hosting a crafted web page that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses. (bnc#1140575)
  • CVE-2019-10639: The Linux kernel allowed Information Exposure (partial kernel address disclosure), leading to a KASLR bypass. Specifically, it was possible to extract the KASLR kernel image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic was sent to multiple destination IP addresses, it was possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This key contains enough bits from a kernel address (of a static variable) so when the key was extracted (via enumeration), the offset of the kernel image is exposed. This attack can be carried out remotely, by the attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visited the attacker's web page, then WebRTC or gQUIC could be used to force UDP traffic to attacker-controlled IP addresses. NOTE: this attack against KASLR became viable because IP ID generation was changed to have a dependency on an address associated with a network namespace. (bnc#)
  • CVE-2019-10126: A flaw was found in the Linux kernel that might lead to memory corruption in the marvell mwifiex driver. (bnc#1136935)
  • CVE-2018-20836: An issue was discovered in the Linux kernel There was a race condition in smptasktimedout() and smptaskdone() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free. (bnc#1134395)
  • CVE-2019-11599: The coredump implementation in the Linux kernel did not use locking or other mechanisms to prevent vma layout or vma flags changes while it ran, which allowed local users to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a race condition with mmgetnotzero or gettaskmm calls. This is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/taskmmu.c, and drivers/infiniband/core/uverbsmain.c. (bnc#1133738)
  • CVE-2019-12614: An issue was discovered in dlparparsecc_property in arch/powerpc/platforms/pseries/dlpar.c in the Linux kernel There was an unchecked kstrdup of prop-name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). (bnc#)
  • CVE-2019-12818: An issue was discovered in the Linux kernel The nfcllcpbuildtlv function in net/nfc/llcpcommands.c may return NULL. If the caller did not check for this, it will trigger a NULL pointer dereference. This will cause denial of service. This affects nfcllcpbuildgb in net/nfc/llcpcore.c. (bnc#1137194)
  • CVE-2019-12819: An issue was discovered in the Linux kernel The function _mdiobusregister() in drivers/net/phy/mdiobus.c called putdevice(), which would trigger a fixedmdiobus_init use-after-free. This would cause a denial of service. (bnc#1138291)
  • CVE-2019-12456 a double-fetch bug in ctlioctl_main() could allow local users to create a denial of service (bsc#1136922).
  • CVE-2019-12380: An issue was discovered in the efi subsystem in the Linux kernel physefisetvirtualaddressmap in arch/x86/platform/efi/efi.c and eficallphysprolog in arch/x86/platform/efi/efi_64.c mishandle memory allocation failures. NOTE: This id is disputed as not being an issue because All the code touched by the referenced commit runs only at boot, before any user processes are started. Therefore, there is no possibility for an unprivileged user to control it. (bnc#)
  • CVE-2019-11487: The Linux kernel allowed page-refcount reference count to overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipefs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can occur with FUSE requests. (bnc#1133190)

The following non-security bugs were fixed:

  • Drop multiversion(kernel) from the KMP template (bsc#1127155).
  • Revert 'KMPs: obsolete older KMPs of the same flavour (bsc#1127155, bsc#1109137).' This reverts commit 4cc83da426b53d47f1fde9328112364eab1e9a19.
  • sched/fair: Avoid divide by zero when rebalancing domains (bsc#1096254).
  • x86/cpu: Unify CPU family, model, stepping calculation (bsc#1134701).
  • x86/entry/64/compat: Fix stack switching for XEN PV (bsc#1108382).
  • x86/microcode/AMD: Fix initrd loading with CONFIGRANDOMIZEMEMORY=y (bsc#1134701).
  • x86/microcode/AMD: Fix load of builtin microcode with randomized memory (bsc#1134701).
  • x86/microcode/AMD: Reload proper initrd start address (bsc#1134701).
  • x86/microcode/amd: Hand down the CPU family (bsc#1134701).
  • x86/microcode/amd: Move private inlines to .c and mark local functions static (bsc#1134701).
  • x86/microcode/intel: Drop stashed AP patch pointer optimization (bsc#1134701).
  • x86/microcode/intel: Fix allocation size of struct ucode_patch (bsc#1134701).
  • x86/microcode/intel: Fix initrd loading with CONFIGRANDOMIZEMEMORY=y (bsc#1134701).
  • x86/microcode/intel: Remove intel_lib.c (bsc#1134701).
  • x86/microcode/intel: Remove unused arg of getmatchingmodel_microcode() (bsc#1134701).
  • x86/microcode/intel: Rename loadmicrocodeearly() to findmicrocodepatch() (bsc#1134701).
  • x86/microcode/intel: Rename local variables of type struct mcsaveddata (bsc#1134701).
  • x86/microcode/intel: Rename mc_intel variable to mc (bsc#1134701).
  • x86/microcode/intel: Rename mcsavedin_initrd (bsc#1134701).
  • x86/microcode/intel: Simplify genericloadmicrocode() (bsc#1134701).
  • x86/microcode/intel: Unexport savemcfor_early() (bsc#1134701).
  • x86/microcode/intel: Use correct buffer size for saving microcode data (bsc#1134701).
  • x86/microcode: Collect CPU info on resume (bsc#1134701).
  • x86/microcode: Export the microcode cache linked list (bsc#1134701).
  • x86/microcode: Fix loading precedence (bsc#1134701).
  • x86/microcode: Get rid of findcpiodata()'s dummy offset arg (bsc#1134701).
  • x86/microcode: Issue the debug printk on resume only on success (bsc#1134701).
  • x86/microcode: Rework microcode loading (bsc#1134701).
  • x86/microcode: Run the AP-loading routine only on the application processors (bsc#1134701).
References

Affected packages

SUSE:Linux Enterprise High Availability Extension 12 SP2 / kernel-default

Package

Name
kernel-default
Purl
purl:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2012%20SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.4.121-92.117.1

Ecosystem specific 

{
    "binaries": [
        {
            "dlm-kmp-default": "4.4.121-92.117.1",
            "gfs2-kmp-default": "4.4.121-92.117.1",
            "cluster-network-kmp-default": "4.4.121-92.117.1",
            "ocfs2-kmp-default": "4.4.121-92.117.1",
            "cluster-md-kmp-default": "4.4.121-92.117.1"
        }
    ]
}