Security update for util-linux SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:0553-1 Final 1 1 2017-02-23T07:49:27Z current 2017-02-23T07:49:27Z 2017-02-23T07:49:27Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for util-linux This update for util-linux fixes a number of bugs and two security issues. The following security bugs were fixed: - CVE-2016-5011: Infinite loop DoS in libblkid while parsing DOS partition (bsc#988361) - CVE-2017-2616: In su with PAM support it was possible for local users to send SIGKILL to selected other processes with root privileges (bsc#1023041). The following non-security bugs were fixed: - bsc#1008965: Ensure that the option 'users,exec,dev,suid' work as expected on NFS mounts - bsc#1012504: Fix regressions in safe loop re-use patch set for libmount - bsc#1012632: Disable ro checks for mtab - bsc#1020077: fstrim: De-duplicate btrfs sub-volumes for 'fstrim -a' and bind mounts - bsc#947494: mount -a would fail to recognize btrfs already mounted, address loop re-use in libmount - bsc#966891: Conflict in meaning of losetup -L. This switch in SLE12 SP1 and SP2 continues to carry the meaning of --logical-blocksize instead of upstream --nooverlap - bsc#978993: cfdisk would mangle some text output - bsc#982331: libmount: ignore redundant slashes - bsc#983164: mount uid= and gid= would reject valid non UID/GID values - bsc#987176: When mounting a subfolder of a CIFS share, mount -a would show the mount as busy - bsc#1019332: lscpu: Implement WSL detection and work around crash The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-SAP-12-2017-290,SUSE-SLE-SERVER-12-2017-290 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20170553-1/ Link for SUSE-SU-2017:0553-1 https://lists.suse.com/pipermail/sle-security-updates/2017-February/002660.html E-Mail link for SUSE-SU-2017:0553-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1008965 SUSE Bug 1008965 https://bugzilla.suse.com/1012504 SUSE Bug 1012504 https://bugzilla.suse.com/1012632 SUSE Bug 1012632 https://bugzilla.suse.com/1019332 SUSE Bug 1019332 https://bugzilla.suse.com/1020077 SUSE Bug 1020077 https://bugzilla.suse.com/1023041 SUSE Bug 1023041 https://bugzilla.suse.com/947494 SUSE Bug 947494 https://bugzilla.suse.com/966891 SUSE Bug 966891 https://bugzilla.suse.com/978993 SUSE Bug 978993 https://bugzilla.suse.com/982331 SUSE Bug 982331 https://bugzilla.suse.com/983164 SUSE Bug 983164 https://bugzilla.suse.com/987176 SUSE Bug 987176 https://bugzilla.suse.com/988361 SUSE Bug 988361 https://www.suse.com/security/cve/CVE-2016-5011/ SUSE CVE CVE-2016-5011 page https://www.suse.com/security/cve/CVE-2017-2616/ SUSE CVE CVE-2017-2616 page SUSE Linux Enterprise Server 12-LTSS SUSE Linux Enterprise Server for SAP Applications 12 libblkid1-2.25-24.10.1 libblkid1-32bit-2.25-24.10.1 libmount1-2.25-24.10.1 libmount1-32bit-2.25-24.10.1 libsmartcols1-2.25-24.10.1 libuuid1-2.25-24.10.1 libuuid1-32bit-2.25-24.10.1 python-libmount-2.25-24.10.3 util-linux-2.25-24.10.1 util-linux-lang-2.25-24.10.1 util-linux-systemd-2.25-24.10.1 uuidd-2.25-24.10.1 libblkid1-2.25-24.10.1 as a component of SUSE Linux Enterprise Server 12-LTSS libblkid1-32bit-2.25-24.10.1 as a component of SUSE Linux Enterprise Server 12-LTSS libmount1-2.25-24.10.1 as a component of SUSE Linux Enterprise Server 12-LTSS libmount1-32bit-2.25-24.10.1 as a component of SUSE Linux Enterprise Server 12-LTSS libsmartcols1-2.25-24.10.1 as a component of SUSE Linux Enterprise Server 12-LTSS libuuid1-2.25-24.10.1 as a component of SUSE Linux Enterprise Server 12-LTSS libuuid1-32bit-2.25-24.10.1 as a component of SUSE Linux Enterprise Server 12-LTSS python-libmount-2.25-24.10.3 as a component of SUSE Linux Enterprise Server 12-LTSS util-linux-2.25-24.10.1 as a component of SUSE Linux Enterprise Server 12-LTSS util-linux-lang-2.25-24.10.1 as a component of SUSE Linux Enterprise Server 12-LTSS util-linux-systemd-2.25-24.10.1 as a component of SUSE Linux Enterprise Server 12-LTSS uuidd-2.25-24.10.1 as a component of SUSE Linux Enterprise Server 12-LTSS libblkid1-2.25-24.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 libblkid1-32bit-2.25-24.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 libmount1-2.25-24.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 libmount1-32bit-2.25-24.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 libsmartcols1-2.25-24.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 libuuid1-2.25-24.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 libuuid1-32bit-2.25-24.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 python-libmount-2.25-24.10.3 as a component of SUSE Linux Enterprise Server for SAP Applications 12 util-linux-2.25-24.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 util-linux-lang-2.25-24.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 util-linux-systemd-2.25-24.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 uuidd-2.25-24.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset. CVE-2016-5011 SUSE Linux Enterprise Server 12-LTSS:libblkid1-2.25-24.10.1 SUSE Linux Enterprise Server 12-LTSS:libblkid1-32bit-2.25-24.10.1 SUSE Linux Enterprise Server 12-LTSS:libmount1-2.25-24.10.1 SUSE Linux Enterprise Server 12-LTSS:libmount1-32bit-2.25-24.10.1 SUSE Linux Enterprise Server 12-LTSS:libsmartcols1-2.25-24.10.1 SUSE Linux Enterprise Server 12-LTSS:libuuid1-2.25-24.10.1 SUSE Linux Enterprise Server 12-LTSS:libuuid1-32bit-2.25-24.10.1 SUSE Linux Enterprise Server 12-LTSS:python-libmount-2.25-24.10.3 SUSE Linux Enterprise Server 12-LTSS:util-linux-2.25-24.10.1 SUSE Linux Enterprise Server 12-LTSS:util-linux-lang-2.25-24.10.1 SUSE Linux Enterprise Server 12-LTSS:util-linux-systemd-2.25-24.10.1 SUSE Linux Enterprise Server 12-LTSS:uuidd-2.25-24.10.1 SUSE Linux Enterprise Server for SAP Applications 12:libblkid1-2.25-24.10.1 SUSE Linux Enterprise Server for SAP Applications 12:libblkid1-32bit-2.25-24.10.1 SUSE Linux Enterprise Server for SAP Applications 12:libmount1-2.25-24.10.1 SUSE Linux Enterprise Server for SAP Applications 12:libmount1-32bit-2.25-24.10.1 SUSE Linux Enterprise Server for SAP Applications 12:libsmartcols1-2.25-24.10.1 SUSE Linux Enterprise Server for SAP Applications 12:libuuid1-2.25-24.10.1 SUSE Linux Enterprise Server for SAP Applications 12:libuuid1-32bit-2.25-24.10.1 SUSE Linux Enterprise Server for SAP Applications 12:python-libmount-2.25-24.10.3 SUSE Linux Enterprise Server for SAP Applications 12:util-linux-2.25-24.10.1 SUSE Linux Enterprise Server for SAP Applications 12:util-linux-lang-2.25-24.10.1 SUSE Linux Enterprise Server for SAP Applications 12:util-linux-systemd-2.25-24.10.1 SUSE Linux Enterprise Server for SAP Applications 12:uuidd-2.25-24.10.1 low 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170553-1/ https://www.suse.com/security/cve/CVE-2016-5011.html CVE-2016-5011 https://bugzilla.suse.com/988361 SUSE Bug 988361 A race condition was found in util-linux before 2.32.1 in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions. CVE-2017-2616 SUSE Linux Enterprise Server 12-LTSS:libblkid1-2.25-24.10.1 SUSE Linux Enterprise Server 12-LTSS:libblkid1-32bit-2.25-24.10.1 SUSE Linux Enterprise Server 12-LTSS:libmount1-2.25-24.10.1 SUSE Linux Enterprise Server 12-LTSS:libmount1-32bit-2.25-24.10.1 SUSE Linux Enterprise Server 12-LTSS:libsmartcols1-2.25-24.10.1 SUSE Linux Enterprise Server 12-LTSS:libuuid1-2.25-24.10.1 SUSE Linux Enterprise Server 12-LTSS:libuuid1-32bit-2.25-24.10.1 SUSE Linux Enterprise Server 12-LTSS:python-libmount-2.25-24.10.3 SUSE Linux Enterprise Server 12-LTSS:util-linux-2.25-24.10.1 SUSE Linux Enterprise Server 12-LTSS:util-linux-lang-2.25-24.10.1 SUSE Linux Enterprise Server 12-LTSS:util-linux-systemd-2.25-24.10.1 SUSE Linux Enterprise Server 12-LTSS:uuidd-2.25-24.10.1 SUSE Linux Enterprise Server for SAP Applications 12:libblkid1-2.25-24.10.1 SUSE Linux Enterprise Server for SAP Applications 12:libblkid1-32bit-2.25-24.10.1 SUSE Linux Enterprise Server for SAP Applications 12:libmount1-2.25-24.10.1 SUSE Linux Enterprise Server for SAP Applications 12:libmount1-32bit-2.25-24.10.1 SUSE Linux Enterprise Server for SAP Applications 12:libsmartcols1-2.25-24.10.1 SUSE Linux Enterprise Server for SAP Applications 12:libuuid1-2.25-24.10.1 SUSE Linux Enterprise Server for SAP Applications 12:libuuid1-32bit-2.25-24.10.1 SUSE Linux Enterprise Server for SAP Applications 12:python-libmount-2.25-24.10.3 SUSE Linux Enterprise Server for SAP Applications 12:util-linux-2.25-24.10.1 SUSE Linux Enterprise Server for SAP Applications 12:util-linux-lang-2.25-24.10.1 SUSE Linux Enterprise Server for SAP Applications 12:util-linux-systemd-2.25-24.10.1 SUSE Linux Enterprise Server for SAP Applications 12:uuidd-2.25-24.10.1 important 4.7 AV:L/AC:M/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170553-1/ https://www.suse.com/security/cve/CVE-2017-2616.html CVE-2017-2616 https://bugzilla.suse.com/1023041 SUSE Bug 1023041 https://bugzilla.suse.com/1123789 SUSE Bug 1123789