1107829 – (CVE-2018-14633) VUL-0: CVE-2018-14633: kernel-source: security flaw in iscsi target code

Bug 1107829 (CVE-2018-14633) - VUL-0: CVE-2018-14633: kernel-source: security flaw in iscsi target code

Summary: VUL-0: CVE-2018-14633: kernel-source: security flaw in iscsi target code

Status:	RESOLVED FIXED

Alias:	CVE-2018-14633

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/214018/
Whiteboard:	CVSSv3:SUSE:CVE-2018-14633:8.8:(AV:N/...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2018-09-10 12:25 UTC by Marcus Meissner
Modified:	2024-06-25 13:49 UTC (History)
CC List:	10 users (show)

See Also:	1107832
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
patch-iscsi.tar.gz (3.12 KB, application/gzip) 2018-09-10 12:26 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2018-09-10 12:25:06 UTC

CVE-2018-14633

CRD: 2018-09-24 (latest)

From: Vladis Dronov <vdronov@redhat.com>
Date: Mon, 10 Sep 2018 05:25:30 -0400 (EDT)
subject: ***UNCHECKED*** [vs] CVE-2018-14633: security flaw in iscsi target code

Heololo,

"Vincent Pelletier" <plr.vincent@gmail.com> has found a security flaw in the
chap_server_compute_md5() function in the ISCSI target code in the Linux kernel
in a way an authentication request from an ISCSI initiator is processed. An
unauthenticated remote attacker can cause a stack buffer overflow and smash up
to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on
the victim host.

This flaw was assigned a CVE-ID of CVE-2018-14633 and I would suggest to use it
in the future communications re: this.

The impact analysis follows. The flaw resides in this code:

[drivers/target/iscsi/iscsi_target_auth.h]
#define CHAP_CHALLENGE_LENGTH  16
#define MD5_SIGNATURE_SIZE     16      /* 16 bytes in a MD5 message digest */
#define MAX_RESPONSE_LENGTH    64      /* sufficient for MD5 */
#define MAX_CHAP_N_SIZE        512

[drivers/target/iscsi/iscsi_target_auth.c]
static int chap_server_compute_md5( ... char *nr_in_ptr, char *nr_out_ptr, ... )
{       ...
        unsigned char client_digest[MD5_SIGNATURE_SIZE];
        unsigned char server_digest[MD5_SIGNATURE_SIZE];
        unsigned char chap_r[MAX_RESPONSE_LENGTH];
        ...
        if (extract_param(nr_in_ptr, "CHAP_R", MAX_RESPONSE_LENGTH, chap_r,
            &type) < 0) { ...exit... }
        ...
        chap_string_to_hex(client_digest, chap_r, strlen(chap_r));
        ...
        // int crypto_shash_finup(struct shash_desc *desc, const u8 *data,
        //     unsigned int len, u8 *out)
        // note, server_digest is *out
        ret = crypto_shash_finup(desc, chap->challenge, CHAP_CHALLENGE_LENGTH, server_digest);
        ...
        chap_binaryhex_to_asciihex(response, server_digest, MD5_SIGNATURE_SIZE);

Here chap_string_to_hex() (which basically does hex2bin()) can have max 64-bytes
input string, then it converts the input to a 32-bytes binary string and writes
it plus the trailing \0 to the 16-bytes on-stack buffer client_digest[], making
this a classical buffer overflow.

chap_r is attacker-controlled, the question is what an attack can overwrite.
The overwrite can be 16 bytes + zero byte. Checking what is where on the stack
in RHEL/x86_64, server_digest[] and the 1st byte of response[] can be
overwritten. According to the code, server_digest[] and response[] are not used
after the overwrite and are filled with correct values later by the
crypto_shash_finup() and the chap_binaryhex_to_asciihex().

This means the flaw has no impact _on_the_RHEL_x86_64_systems_.

Depending on how the other distriutions' kernel is built (i.e. depending on a
compiler, compile flags and hardware architecture) a compiler may put other
local variables or function arguments on the stack after the client_digest. This
may lead to different outcomes, like chap_server_compute_md5() may erroneously
return with a result of a successful authentication by rewriting auth_ret, and
so expose all the target's content to an attacker. Or, if nr_out_ptr is
overwritten, this can damage other kernel memory content via later sprintf() and
thus lead to a system crash.

At last, with distribution kernels where stack canary is disabled the overwrite
may corrupt a return pointer, saved registers and other function's stack frame.
Due to this, privilege escalation cannot be fully ruled out, although we believe
this is highly unlikely.

The security@kernel.org and the SCSI layer maintainers were informed about this
issue. I would like to request an embargo for this flaw until the upstream
accepts and publishes the patches, max 14 days, i.e. upto Sep 24, the reporter
is okay with that.

The patches suggested by the reporter to s@k.o are attached to this email as
encrypted patch-iscsi.tar.gz.

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

Comment 1 Marcus Meissner 2018-09-10 12:26:30 UTC

Created attachment 782624 [details]
patch-iscsi.tar.gz

proposed fixes patchset

Comment 2 Lee Duncan 2018-09-10 16:15:06 UTC

I've got this. But I'm surprised I didn't see this upstream yet, since I'm one of the two maintainers for this kernel subsystem.

Comment 3 Lee Duncan 2018-09-28 22:02:21 UTC

This is already upstream, and it is past the CRD, so I am submitting it to Factory, then SLE 15, and SLE 12 SP4, and SLE 12 SP3. Does it also need to go into SLE 11 SP4?

Comment 4 Lee Duncan 2018-09-28 23:12:51 UTC

Pushed to regular for-next branch of Factory (master) and SLE-15.

Comment 5 Lee Duncan 2018-09-30 19:19:39 UTC

Also pushed my SLE 12 SP4 for-next branch

Comment 8 Lee Duncan 2018-10-01 17:40:14 UTC

Changes pushed to for-next for SLE 12 SP3, but it required modification of another (later) iscsi target patch, twice (one for each of the two new patches).

And it looks like master (Factory), SLE 15, and SLE 12 SP4 merges have occurred.

Comment 14 Lee Duncan 2018-10-02 21:54:13 UTC

This should be nearing completion.

Comment 15 Swamp Workflow Management 2018-10-03 08:35:12 UTC

This is an autogenerated message for OBS integration:
This bug (1107829) was mentioned in
https://build.opensuse.org/request/show/639718 42.3 / kernel-source

Comment 18 Lee Duncan 2018-10-04 02:16:08 UTC

Fun fact: a bit over half done?

I have pushed to:

* master (Factory)

* SLE 15
* SLE 12 SP4
* SLE 12 SP3

* cve/linux-3.0

Also pushing today:
* cve/linux-3.12
* cve/linux-4.4

NOTE: I tried to push to "stable", but it looks like you need permission to push there, and the format of the patches there implies that the patches need to be in a non-rc release of linux before adding them, and these two patches are in 4.19-rc6.

I also looked at cve/linux-2.6.32, but the functions that are patched by this series are not even present in Linux-2.6.32. That implies that cve/linux-2.6.16 will also not need patching.

Comment 21 Swamp Workflow Management 2018-10-04 19:23:33 UTC

This is an autogenerated message for OBS integration:
This bug (1107829) was mentioned in
https://build.opensuse.org/request/show/640014 15.0 / kernel-source

Comment 22 Lee Duncan 2018-10-06 16:39:11 UTC

It looks like both of these patches have already made it to "stable" recently, so no need to backport them.

I believe this bug is done, on my part. I will reassign to security in two days (Oct 8) if I haven't heard any objection.

Comment 23 Swamp Workflow Management 2018-10-08 13:43:59 UTC

openSUSE-SU-2018:3071-1: An update that solves 18 vulnerabilities and has 201 fixes is now available.

Category: security (important)
Bug References: 1012382,1031392,1043912,1044189,1046302,1046305,1046306,1046307,1046543,1050244,1051510,1054914,1055014,1055117,1055120,1058659,1060463,1061840,1064232,1065600,1065729,1068032,1069138,1071995,1077761,1077989,1078720,1080157,1082519,1082555,1083647,1083663,1084332,1085030,1085042,1085262,1086282,1086327,1089663,1090078,1090528,1092903,1093389,1094244,1095344,1096748,1097105,1097583,1097584,1097585,1097586,1097587,1097588,1098459,1098782,1098822,1099922,1099999,1100000,1100001,1100132,1101480,1101557,1101669,1101822,1102346,1102495,1102517,1102715,1102870,1102875,1102877,1102879,1102882,1102896,1103269,1103363,1103387,1103405,1103421,1103587,1103636,1103948,1103949,1103961,1104172,1104353,1104365,1104482,1104683,1104708,1104824,1104888,1104890,1104897,1105190,1105247,1105292,1105296,1105322,1105355,1105378,1105396,1105467,1105524,1105536,1105597,1105603,1105672,1105731,1105795,1105907,1106007,1106016,1106105,1106121,1106170,1106178,1106229,1106230,1106231,1106233,1106235,1106236,1106237,1106238,1106240,1106291,1106297,1106333,1106369,1106426,1106427,1106464,1106509,1106511,1106594,1106636,1106688,1106697,1106743,1106779,1106800,1106890,1106891,1106892,1106893,1106894,1106896,1106897,1106898,1106899,1106900,1106901,1106902,1106903,1106905,1106906,1106948,1106995,1107008,1107060,1107061,1107065,1107073,1107074,1107078,1107265,1107319,1107320,1107522,1107535,1107689,1107735,1107756,1107783,1107829,1107870,1107924,1107928,1107945,1107947,1107966,1108010,1108093,1108096,1108170,1108243,1108281,1108323,1108399,1108520,1108823,1108870,1109244,1109269,1109333,1109336,1109337,1109511,1109603,1109806,1109859,1109979,1109992,1110006,1110301,1110363,1110639,1110642,1110643,1110644,1110645,1110646,1110647,1110649,1110650,1110716,971975
CVE References: CVE-2018-10902,CVE-2018-10938,CVE-2018-10940,CVE-2018-1128,CVE-2018-1129,CVE-2018-12896,CVE-2018-13093,CVE-2018-13094,CVE-2018-13095,CVE-2018-14613,CVE-2018-14617,CVE-2018-14633,CVE-2018-15572,CVE-2018-16658,CVE-2018-17182,CVE-2018-6554,CVE-2018-6555,CVE-2018-9363
Sources used:
openSUSE Leap 15.0 (src):    kernel-debug-4.12.14-lp150.12.19.2, kernel-default-4.12.14-lp150.12.19.2, kernel-docs-4.12.14-lp150.12.19.3, kernel-kvmsmall-4.12.14-lp150.12.19.2, kernel-obs-build-4.12.14-lp150.12.19.2, kernel-obs-qa-4.12.14-lp150.12.19.2, kernel-source-4.12.14-lp150.12.19.1, kernel-syms-4.12.14-lp150.12.19.1, kernel-vanilla-4.12.14-lp150.12.19.2

Comment 24 Swamp Workflow Management 2018-10-11 08:46:01 UTC

This is an autogenerated message for OBS integration:
This bug (1107829) was mentioned in
https://build.opensuse.org/request/show/641142 42.3 / kernel-source

Comment 25 Lee Duncan 2018-10-11 16:51:56 UTC

Assigning back to security team.

Comment 26 Swamp Workflow Management 2018-10-16 13:14:51 UTC

SUSE-SU-2018:3158-1: An update that solves two vulnerabilities and has 52 fixes is now available.

Category: security (important)
Bug References: 1012382,1031392,1051510,1055120,1061840,1065729,1082519,1085030,1090078,1094244,1098782,1101669,1102495,1103269,1103405,1103587,1103636,1104888,1105190,1105795,1106105,1106240,1106948,1107783,1107829,1107928,1107947,1108096,1108170,1108281,1108323,1108399,1108823,1109244,1109333,1109336,1109337,1109603,1109806,1109859,1109979,1109992,1110006,1110301,1110363,1110639,1110642,1110643,1110644,1110645,1110646,1110647,1110649,1110650
CVE References: CVE-2018-14633,CVE-2018-17182
Sources used:
SUSE Linux Enterprise Module for Live Patching 15 (src):    kernel-default-4.12.14-25.22.1, kernel-livepatch-SLE15_Update_6-1-1.3.1

Comment 27 Swamp Workflow Management 2018-10-16 13:23:57 UTC

SUSE-SU-2018:3159-1: An update that solves two vulnerabilities and has 52 fixes is now available.

Category: security (important)
Bug References: 1012382,1031392,1051510,1055120,1061840,1065729,1082519,1085030,1090078,1094244,1098782,1101669,1102495,1103269,1103405,1103587,1103636,1104888,1105190,1105795,1106105,1106240,1106948,1107783,1107829,1107928,1107947,1108096,1108170,1108281,1108323,1108399,1108823,1109244,1109333,1109336,1109337,1109603,1109806,1109859,1109979,1109992,1110006,1110301,1110363,1110639,1110642,1110643,1110644,1110645,1110646,1110647,1110649,1110650
CVE References: CVE-2018-14633,CVE-2018-17182
Sources used:
SUSE Linux Enterprise Workstation Extension 15 (src):    kernel-default-4.12.14-25.22.1
SUSE Linux Enterprise Module for Legacy Software 15 (src):    kernel-default-4.12.14-25.22.1
SUSE Linux Enterprise Module for Development Tools 15 (src):    kernel-docs-4.12.14-25.22.2, kernel-obs-build-4.12.14-25.22.1, kernel-source-4.12.14-25.22.1, kernel-syms-4.12.14-25.22.1, kernel-vanilla-4.12.14-25.22.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    kernel-default-4.12.14-25.22.1, kernel-source-4.12.14-25.22.1, kernel-zfcpdump-4.12.14-25.22.1
SUSE Linux Enterprise High Availability 15 (src):    kernel-default-4.12.14-25.22.1

Comment 29 Swamp Workflow Management 2018-10-17 19:17:44 UTC

openSUSE-SU-2018:3202-1: An update that solves 13 vulnerabilities and has 74 fixes is now available.

Category: security (important)
Bug References: 1012382,1044189,1050549,1063026,1065600,1066223,1082519,1082863,1082979,1084427,1084536,1088087,1089343,1090535,1094244,1094555,1094562,1095344,1095753,1096052,1096547,1099597,1099810,1100056,1100059,1100060,1100061,1100062,1102495,1102715,1102870,1102875,1102877,1102879,1102882,1102896,1103156,1103269,1103308,1103405,1105428,1105795,1106095,1106105,1106240,1106293,1106434,1106512,1106594,1106934,1107318,1107829,1107924,1108096,1108170,1108240,1108315,1108399,1108803,1108823,1109333,1109336,1109337,1109441,1109806,1110006,1110297,1110337,1110363,1110468,1110600,1110601,1110602,1110603,1110604,1110605,1110606,1110611,1110612,1110613,1110614,1110615,1110616,1110618,1110619,1110930,1111363
CVE References: CVE-2018-13096,CVE-2018-13097,CVE-2018-13098,CVE-2018-13099,CVE-2018-13100,CVE-2018-14613,CVE-2018-14617,CVE-2018-14633,CVE-2018-16276,CVE-2018-16597,CVE-2018-17182,CVE-2018-7480,CVE-2018-7757
Sources used:
openSUSE Leap 42.3 (src):    kernel-debug-4.4.159-73.1, kernel-default-4.4.159-73.1, kernel-docs-4.4.159-73.2, kernel-obs-build-4.4.159-73.1, kernel-obs-qa-4.4.159-73.1, kernel-source-4.4.159-73.1, kernel-syms-4.4.159-73.1, kernel-vanilla-4.4.159-73.1

Comment 34 Swamp Workflow Management 2018-11-05 17:09:38 UTC

SUSE-SU-2018:3618-1: An update that solves four vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1099922,1102870,1106095,1107829,1108227,1109967,1110247,1113337,905299
CVE References: CVE-2018-12896,CVE-2018-14617,CVE-2018-14633,CVE-2018-16276
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    kernel-bigsmp-3.0.101-0.47.106.56.1, kernel-default-3.0.101-0.47.106.56.1, kernel-ec2-3.0.101-0.47.106.56.1, kernel-pae-3.0.101-0.47.106.56.1, kernel-source-3.0.101-0.47.106.56.1, kernel-syms-3.0.101-0.47.106.56.1, kernel-trace-3.0.101-0.47.106.56.1, kernel-xen-3.0.101-0.47.106.56.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-bigsmp-3.0.101-0.47.106.56.1, kernel-default-3.0.101-0.47.106.56.1, kernel-pae-3.0.101-0.47.106.56.1, kernel-ppc64-3.0.101-0.47.106.56.1, kernel-trace-3.0.101-0.47.106.56.1, kernel-xen-3.0.101-0.47.106.56.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    kernel-default-3.0.101-0.47.106.56.1, kernel-ec2-3.0.101-0.47.106.56.1, kernel-pae-3.0.101-0.47.106.56.1, kernel-source-3.0.101-0.47.106.56.1, kernel-syms-3.0.101-0.47.106.56.1, kernel-trace-3.0.101-0.47.106.56.1, kernel-xen-3.0.101-0.47.106.56.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    kernel-bigsmp-3.0.101-0.47.106.56.1, kernel-default-3.0.101-0.47.106.56.1, kernel-ec2-3.0.101-0.47.106.56.1, kernel-pae-3.0.101-0.47.106.56.1, kernel-trace-3.0.101-0.47.106.56.1, kernel-xen-3.0.101-0.47.106.56.1

Comment 38 Swamp Workflow Management 2018-11-07 20:38:44 UTC

SUSE-SU-2018:3659-1: An update that solves 10 vulnerabilities and has 104 fixes is now available.

Category: security (important)
Bug References: 1012382,1042422,1044189,1050431,1050549,1053043,1063026,1065600,1065726,1066223,1067906,1079524,1082519,1082863,1082979,1084427,1084536,1084760,1088087,1089343,1090535,1091158,1094244,1094555,1094562,1094825,1095344,1095753,1095805,1096052,1096547,1099597,1099810,1101555,1102495,1102715,1102870,1102875,1102877,1102879,1102882,1102896,1103156,1103269,1103308,1103405,1105428,1105795,1105931,1106095,1106105,1106110,1106240,1106293,1106359,1106434,1106512,1106594,1106913,1106929,1106934,1107060,1107299,1107318,1107535,1107829,1107924,1108096,1108170,1108240,1108315,1108377,1108399,1108498,1108803,1108823,1109158,1109333,1109336,1109337,1109441,1109784,1109806,1109818,1109907,1109919,1109923,1110006,1110297,1110337,1110363,1110468,1110600,1110601,1110602,1110603,1110604,1110605,1110606,1110611,1110612,1110613,1110614,1110615,1110616,1110618,1110619,1110930,1111363,1111516,1111870,1112007,1112262,1112263
CVE References: CVE-2018-14613,CVE-2018-14617,CVE-2018-14633,CVE-2018-16276,CVE-2018-16597,CVE-2018-17182,CVE-2018-18386,CVE-2018-7480,CVE-2018-7757,CVE-2018-9516
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP3 (src):    kernel-rt-4.4.162-3.26.1, kernel-rt_debug-4.4.162-3.26.1, kernel-source-rt-4.4.162-3.26.1, kernel-syms-rt-4.4.162-3.26.1

Comment 39 Swamp Workflow Management 2018-11-09 20:37:29 UTC

SUSE-SU-2018:3688-1: An update that solves 6 vulnerabilities and has 100 fixes is now available.

Category: security (important)
Bug References: 1011920,1012382,1012422,1020645,1031392,1035053,1042422,1043591,1048129,1050431,1050549,1053043,1054239,1057199,1065600,1065726,1067906,1073579,1076393,1078788,1079524,1082519,1083215,1083527,1084760,1089343,1091158,1093118,1094244,1094825,1095805,1096052,1098050,1098996,1099597,1101555,1103308,1103405,1104124,1105025,1105428,1105795,1105931,1106105,1106110,1106240,1106293,1106359,1106434,1106594,1106913,1106929,1107060,1107299,1107318,1107535,1107829,1107870,1108315,1108377,1108498,1109158,1109333,1109772,1109784,1109806,1109818,1109907,1109919,1109923,1110006,1110363,1110468,1110600,1110601,1110602,1110603,1110604,1110605,1110606,1110611,1110612,1110613,1110614,1110615,1110616,1110618,1110619,1111363,1111516,1111870,1112007,1112262,1112263,1112894,1112902,1112903,1112905,1113667,1113751,1113769,1114178,1114229,1114648,981083,997172
CVE References: CVE-2018-14633,CVE-2018-18281,CVE-2018-18386,CVE-2018-18690,CVE-2018-18710,CVE-2018-9516
Sources used:
SUSE Linux Enterprise Live Patching 12-SP3 (src):    kgraft-patch-SLE12-SP3_Update_21-1-4.5.2

Comment 43 Swamp Workflow Management 2018-11-22 20:20:19 UTC

SUSE-SU-2018:3869-1: An update that solves 8 vulnerabilities and has 21 fixes is now available.

Category: security (important)
Bug References: 1031240,1047027,1049128,1050431,1064861,1065600,1066674,1071021,1081680,1094244,1094825,1103145,1105799,1106139,1106240,1107371,1107829,1107849,1108314,1108498,1109806,1109818,1110006,1110247,1113337,1113751,1113769,1114460,923775
CVE References: CVE-2017-1000407,CVE-2017-16533,CVE-2017-7273,CVE-2018-14633,CVE-2018-18281,CVE-2018-18386,CVE-2018-18710,CVE-2018-9516
Sources used:
SUSE Linux Enterprise Real Time Extension 11-SP4 (src):    kernel-rt-3.0.101.rt130-69.39.1, kernel-rt_trace-3.0.101.rt130-69.39.1, kernel-source-rt-3.0.101.rt130-69.39.1, kernel-syms-rt-3.0.101.rt130-69.39.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-rt-3.0.101.rt130-69.39.1, kernel-rt_debug-3.0.101.rt130-69.39.1, kernel-rt_trace-3.0.101.rt130-69.39.1

Comment 44 Swamp Workflow Management 2018-11-30 20:44:27 UTC

SUSE-SU-2018:3961-1: An update that solves 22 vulnerabilities and has 286 fixes is now available.

Category: security (important)
Bug References: 1012382,1031392,1043912,1044189,1046302,1046305,1046306,1046307,1046540,1046543,1050244,1050319,1050536,1050540,1051510,1054914,1055014,1055117,1055120,1058659,1060463,1061840,1065600,1065729,1066674,1067126,1067906,1068032,1069138,1071995,1076830,1077761,1077989,1078720,1079524,1080157,1082519,1082555,1083647,1083663,1084760,1084831,1085030,1085042,1085262,1086282,1086283,1086288,1086327,1089663,1090078,1091800,1092903,1094244,1094825,1095344,1095805,1096748,1097105,1097583,1097584,1097585,1097586,1097587,1097588,1098459,1098782,1098822,1099125,1099922,1099999,1100001,1100132,1101480,1101557,1101669,1102346,1102495,1102517,1102715,1102870,1102875,1102877,1102879,1102881,1102882,1102896,1103269,1103308,1103356,1103363,1103387,1103405,1103421,1103543,1103587,1103636,1103948,1103949,1103961,1104172,1104353,1104482,1104683,1104731,1104824,1104888,1104890,1105025,1105190,1105247,1105292,1105322,1105355,1105378,1105396,1105428,1105467,1105524,1105536,1105597,1105603,1105672,1105731,1105795,1105907,1106007,1106016,1106105,1106110,1106121,1106170,1106178,1106229,1106230,1106231,1106233,1106235,1106236,1106237,1106238,1106240,1106291,1106297,1106333,1106369,1106427,1106464,1106509,1106511,1106594,1106636,1106688,1106697,1106779,1106800,1106838,1106890,1106891,1106892,1106893,1106894,1106896,1106897,1106898,1106899,1106900,1106901,1106902,1106903,1106905,1106906,1106948,1106995,1107008,1107060,1107061,1107065,1107074,1107207,1107319,1107320,1107522,1107535,1107685,1107689,1107735,1107756,1107783,1107829,1107870,1107924,1107928,1107945,1107947,1107966,1108010,1108093,1108096,1108170,1108241,1108243,1108260,1108281,1108323,1108377,1108399,1108468,1108520,1108823,1108841,1108870,1109151,1109158,1109217,1109244,1109269,1109330,1109333,1109336,1109337,1109511,1109603,1109739,1109772,1109784,1109806,1109818,1109907,1109915,1109919,1109951,1109979,1109992,1110006,1110096,1110301,1110363,1110538,1110561,1110639,1110642,1110643,1110644,1110645,1110646,1110647,1110649,1110650,1111028,1111040,1111076,1111506,1111806,1111819,1111830,1111834,1111841,1111870,1111901,1111904,1111921,1111928,1111983,1112170,1112208,1112219,1112246,1112372,1112514,1112554,1112708,1112710,1112711,1112712,1112713,1112731,1112732,1112733,1112734,1112735,1112736,1112738,1112739,1112740,1112741,1112743,1112745,1112746,1112878,1112894,1112899,1112902,1112903,1112905,1112906,1112907,1113257,1113284,1113295,1113408,1113667,1113722,1113751,1113780,1113972,1114279,971975
CVE References: CVE-2017-16533,CVE-2017-18224,CVE-2018-10902,CVE-2018-10938,CVE-2018-10940,CVE-2018-1128,CVE-2018-1129,CVE-2018-12896,CVE-2018-13093,CVE-2018-13095,CVE-2018-14613,CVE-2018-14617,CVE-2018-14633,CVE-2018-15572,CVE-2018-16658,CVE-2018-17182,CVE-2018-18386,CVE-2018-18445,CVE-2018-18710,CVE-2018-6554,CVE-2018-6555,CVE-2018-9363
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15 (src):    kernel-azure-4.12.14-5.16.1, kernel-source-azure-4.12.14-5.16.1, kernel-syms-azure-4.12.14-5.16.1

Comment 47 Swamp Workflow Management 2019-01-16 07:34:21 UTC

SUSE-SU-2019:0095-1: An update that solves 13 vulnerabilities and has 140 fixes is now available.

Category: security (important)
Bug References: 1011920,1012382,1012422,1020645,1031392,1035053,1042422,1043591,1044189,1048129,1050431,1050549,1053043,1054239,1057199,1062303,1063026,1065600,1065726,1066223,1067906,1073579,1076393,1078788,1079524,1082519,1082863,1082979,1083215,1083527,1084427,1084536,1084760,1087209,1088087,1089343,1090535,1091158,1093118,1094244,1094555,1094562,1094825,1095344,1095753,1095805,1096052,1096547,1098050,1098996,1099597,1099810,1101555,1102495,1102715,1102870,1102875,1102877,1102879,1102882,1102896,1103156,1103269,1103308,1103405,1104124,1105025,1105428,1105795,1105931,1106095,1106105,1106110,1106240,1106293,1106359,1106434,1106512,1106594,1106913,1106929,1106934,1107060,1107299,1107318,1107535,1107829,1107870,1107924,1108096,1108170,1108240,1108281,1108315,1108377,1108399,1108498,1108803,1108823,1109038,1109158,1109333,1109336,1109337,1109441,1109772,1109784,1109806,1109818,1109907,1109919,1109923,1110006,1110297,1110337,1110363,1110468,1110600,1110601,1110602,1110603,1110604,1110605,1110606,1110611,1110612,1110613,1110614,1110615,1110616,1110618,1110619,1110930,1111363,1111516,1111870,1112007,1112262,1112263,1112894,1112902,1112903,1112905,1113667,1113751,1113766,1113769,1114178,1114229,1114648,1115593,981083,997172
CVE References: CVE-2018-14613,CVE-2018-14617,CVE-2018-14633,CVE-2018-16276,CVE-2018-16597,CVE-2018-17182,CVE-2018-18281,CVE-2018-18386,CVE-2018-18690,CVE-2018-18710,CVE-2018-7480,CVE-2018-7757,CVE-2018-9516
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    kernel-azure-4.4.162-4.19.2, kernel-source-azure-4.4.162-4.19.1, kernel-syms-azure-4.4.162-4.19.1

Comment 50 Miroslav Beneš 2019-02-20 10:20:33 UTC

It seems that the patches have never made it to cve/linux-4.4 branch and thus SLE12-SP2 is still vulnerable.

Lee, could you have a look, please?

Comment 52 Lee Duncan 2019-02-22 18:01:56 UTC

(In reply to Miroslav Beneš from comment #50)
> It seems that the patches have never made it to cve/linux-4.4 branch and
> thus SLE12-SP2 is still vulnerable.
> 
> Lee, could you have a look, please?

The patch is present in the cve-4.4 branch, and in the SLE-12-SP2-LTSS branch, since 12.2 is in LTSS now, i.e. there is no other SP2 branch. I do not know when this will be pushed out as a maintenance update for 12SP2, but I'd be surprised if it hasn't been done already.

I will re-assign to the security team to find out. Marcus?

Comment 53 Takashi Iwai 2019-02-22 19:33:01 UTC

Well, the patch isn't present in cve/linux-4.4 yet.  You pushed to your branch but it was never merged because the merge to cve/linux-4.4 conflicted badly with SLE12-SP3 at that time.  The merge would have been accepted *only* when you provided the proper merge commit to SLE12-SP3.  It was announced on kernel ML sometime ago, but people never got it, unfortunately.

The merge through cve/linux-4.4 was a nightmare, and it was always a trouble.  That's the reason I preferred to merge to both SLE12-SP2-LTSS and SLE12-SP3 in the past, instead of cve/linux-4.4.

Meanwhile, we recently decided to sort the whole 4.4.x-based trees, including cve/linux-4.4.  This eased the situation of the merge a very little bit, so we started accepting the merge from cve/linux-4.4 now in a more relaxed way.

So, I refreshed the patches and applied to the sorted section of cve/linux-4.4 branch now.  Then I'm going to do the empty-merge to SLE12-SP3, and leave the rest to Michal for SLE12-SP2-LTSS merge.

... Now you guys see what crazy stuff we have to suffer from the tiny fix...

Comment 54 Takashi Iwai 2019-02-22 19:36:47 UTC

Michal, please merge the fix to SLE12-SP2-LTSS from cve/linux-4.4.

Comment 55 Michal Koutný 2019-02-22 22:44:37 UTC

Thanks. The two patches referencing this CVE were merged in SLE12-SP2-LTSS.

Comment 58 Swamp Workflow Management 2019-04-01 13:11:33 UTC

SUSE-SU-2019:0828-1: An update that solves 6 vulnerabilities and has 21 fixes is now available.

Category: security (important)
Bug References: 1012382,1075697,1082943,1098599,1102959,1105402,1107829,1108145,1109137,1109330,1110286,1117645,1119019,1120691,1121698,1121805,1122821,1124728,1124732,1124735,1125315,1127155,1127758,1127961,1128166,1129080,1129179
CVE References: CVE-2018-14633,CVE-2019-2024,CVE-2019-6974,CVE-2019-7221,CVE-2019-7222,CVE-2019-9213
Sources used:
SUSE OpenStack Cloud 7 (src):    kernel-default-4.4.121-92.104.1, kernel-source-4.4.121-92.104.1, kernel-syms-4.4.121-92.104.1, kgraft-patch-SLE12-SP2_Update_28-1-3.3.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    kernel-default-4.4.121-92.104.1, kernel-source-4.4.121-92.104.1, kernel-syms-4.4.121-92.104.1, kgraft-patch-SLE12-SP2_Update_28-1-3.3.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    kernel-default-4.4.121-92.104.1, kernel-source-4.4.121-92.104.1, kernel-syms-4.4.121-92.104.1, kgraft-patch-SLE12-SP2_Update_28-1-3.3.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    kernel-default-4.4.121-92.104.1, kernel-source-4.4.121-92.104.1, kernel-syms-4.4.121-92.104.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    kernel-default-4.4.121-92.104.1
SUSE Enterprise Storage 4 (src):    kernel-default-4.4.121-92.104.1, kernel-source-4.4.121-92.104.1, kernel-syms-4.4.121-92.104.1, kgraft-patch-SLE12-SP2_Update_28-1-3.3.1
OpenStack Cloud Magnum Orchestration 7 (src):    kernel-default-4.4.121-92.104.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.

Comment 63 Swamp Workflow Management 2019-05-17 19:19:17 UTC

SUSE-SU-2019:1289-1: An update that solves 33 vulnerabilities and has 13 fixes is now available.

Category: security (important)
Bug References: 1031240,1034862,1066674,1071021,1086535,1091171,1094825,1100001,1102517,1103097,1104475,1105025,1105296,1106913,1107829,1108498,1110768,1111331,1111516,1113751,1113769,1114648,1114920,1115007,1115038,1116345,1116841,1118152,1118319,1119714,1119946,1120743,1120758,1121621,1122015,1123161,1124010,1124728,1124732,1124735,1126890,1128166,1131416,1131427,1132828,1133188
CVE References: CVE-2016-10741,CVE-2017-1000407,CVE-2017-16533,CVE-2017-7273,CVE-2017-7472,CVE-2018-12126,CVE-2018-12127,CVE-2018-12130,CVE-2018-14633,CVE-2018-15572,CVE-2018-16884,CVE-2018-18281,CVE-2018-18386,CVE-2018-18690,CVE-2018-18710,CVE-2018-19407,CVE-2018-19824,CVE-2018-19985,CVE-2018-20169,CVE-2018-5391,CVE-2018-9516,CVE-2018-9568,CVE-2019-11091,CVE-2019-11486,CVE-2019-3459,CVE-2019-3460,CVE-2019-3882,CVE-2019-6974,CVE-2019-7221,CVE-2019-7222,CVE-2019-8564,CVE-2019-9213,CVE-2019-9503
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    kernel-default-3.12.74-60.64.110.1, kernel-source-3.12.74-60.64.110.1, kernel-syms-3.12.74-60.64.110.1, kernel-xen-3.12.74-60.64.110.1, lttng-modules-2.7.0-4.4.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    kernel-default-3.12.74-60.64.110.1, kernel-source-3.12.74-60.64.110.1, kernel-syms-3.12.74-60.64.110.1, kernel-xen-3.12.74-60.64.110.1, lttng-modules-2.7.0-4.4.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.74-60.64.110.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 64 Marcus Meissner 2019-06-13 14:08:34 UTC

released