|
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various
security and bugfixes.
The following security bugs were fixed:
- CVE-2019-10638: In the Linux kernel, a device could be tracked by an
attacker using the IP ID values the kernel produces for connection-less
protocols (e.g., UDP and ICMP). When such traffic was sent to multiple
destination IP addresses, it was possible to obtain hash collisions (of
indices to the counter array) and thereby obtain the hashing key (via
enumeration). An attack may have been conducted by hosting a crafted web
page that uses WebRTC or gQUIC to force UDP traffic to
attacker-controlled IP addresses (bnc#1140575 1140577).
- CVE-2019-10639: The Linux kernel allowed Information Exposure (partial
kernel address disclosure), that lead to a KASLR bypass. Specifically,
it was possible to extract the KASLR kernel image offset using the IP ID
values the kernel produces for connection-less protocols (e.g., UDP and
ICMP). When such traffic is sent to multiple destination IP addresses,
it was possible to obtain hash collisions (of indices to the counter
array) and thereby obtain the hashing key (via enumeration). This key
contains enough bits from a kernel address (of a static variable) so
when the key is extracted (via enumeration), the offset of the kernel
image is exposed. This attack could be carried out remotely, by the
attacker forcing the target device to send UDP or ICMP (or certain
other) traffic to attacker-controlled IP addresses. Forcing a server to
send UDP traffic is trivial if the server is a DNS server. ICMP traffic
is trivial if the server answers ICMP Echo requests (ping). For client
targets, if the target visited the attacker's web page, then WebRTC or
gQUIC could be used to force UDP traffic to attacker-controlled IP
addresses. NOTE: this attack against KASLR became viable because IP ID
generation was changed to have a dependency on an address associated
with a network namespace (bnc#1140577).
- CVE-2019-10126: A flaw was found in the Linux kernel. A heap based
buffer overflow in mwifiex_uap_parse_tail_ies function in
drivers/net/wireless/marvell/mwifiex/ie.c might have lead to memory
corruption and possibly other consequences (bnc#1136935).
- CVE-2018-20836: An issue was discovered in the Linux kernel There was a
race condition in smp_task_timedout() and smp_task_done() in
drivers/scsi/libsas/sas_expander.c, leading to a use-after-free
(bnc#1134395).
- CVE-2019-11599: The coredump implementation in the Linux kernel did not
use locking or other mechanisms to prevent vma layout or vma flags
changes while it ran, which allowed local users to obtain sensitive
information, cause a denial of service, or possibly have unspecified
other impact by triggering a race condition with mmget_not_zero or
get_task_mm call. This is related to fs/userfaultfd.c, mm/mmap.c,
fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c
(bnc#1131645 1133738).
- CVE-2019-12614: An issue was discovered in dlpar_parse_cc_property in
arch/powerpc/platforms/pseries/dlpar.c in the Linux kernel There was an
unchecked kstrdup of prop-name, which might have allowed an attacker to
cause a denial of service (NULL pointer dereference and system crash)
(bnc#1137194).
- CVE-2019-12819: An issue was discovered in the Linux kernel The function
__mdiobus_register() in drivers/net/phy/mdio_bus.c calls put_device(),
which would trigger a fixed_mdio_bus_init use-after-free. This would
cause a denial of service (bnc#1138291).
- CVE-2019-12818: An issue was discovered in the Linux kernel The
nfc_llcp_build_tlv function in net/nfc/llcp_commands.c may return NULL.
If the caller did not check for this, it would trigger a NULL pointer
dereference. This would cause a denial of service. This affected
nfc_llcp_build_gb in net/nfc/llcp_core.c (bnc#1138293).
- CVE-2019-12456: A double-fetch bug in _ctl_ioctl_main() could lead to a
local denial of service attack (bsc#1136922 CVE-2019-12456).
- CVE-2019-12380: An issue was discovered in the efi subsystem in the
Linux kernel phys_efi_set_virtual_address_map in
arch/x86/platform/efi/efi.c and efi_call_phys_prolog in
arch/x86/platform/efi/efi_64.c mishandle memory allocation failures.
NOTE: This id is disputed as not being an issue because ;All the code
touched by the referenced commit runs only at boot, before any user
processes are started. Therefore, there is no possibility for an
unprivileged user to control it (bnc#1136598).
- CVE-2019-11487: The Linux kernel before allowed page-_refcount reference
count overflow, with resultant use-after-free issues, if about 140 GiB
of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c,
include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c,
mm/gup.c, and mm/hugetlb.c. It could occur with FUSE requests
(bnc#1133190 1133191).
The following non-security bugs were fixed:
http://lists.suse.com/pipermail/sle-security-updates/2019-July/005717.html
|