Bug 1010444 (CVE-2016-7917)

Summary: VUL-0: CVE-2016-7917: kernel: infinite loop triggered if nlh->nlmsg_len is zero
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: bpetkov, meissner, mkubecek, smash_bz, tiwai
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/176402/
Whiteboard: CVSSv2:NVD:CVE-2016-7917:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv2:RedHat:CVE-2016-7917:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv2:SUSE:CVE-2016-7917:5.0:(AV:L/AC:M/Au:S/C:P/I:N/A:C) CVSSv3:NVD:CVE-2016-7917:5.0:(AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N) CVSSv3:RedHat:CVE-2016-7917:5.0:(AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2016-11-16 11:12:51 UTC 
CVE-2016-7917

The nfnetlink_rcv_batch function in net/netfilter/nfnetlink.c in the Linux
kernel before 4.5 does not check whether a batch message's length field is large
enough, which allows local users to obtain sensitive information from kernel
memory or cause a denial of service (infinite loop or out-of-bounds read) by
leveraging the CAP_NET_ADMIN capability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7917
https://github.com/torvalds/linux/commit/c58d6c93680f28ac58984af61d0a7ebf4319c241
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c58d6c93680f28ac58984af61d0a7ebf4319c241
Comment 1 Swamp Workflow Management 2016-11-16 23:03:09 UTC 
bugbot adjusting priority
Comment 4 Michal Kubeček 2016-11-21 13:52:33 UTC 
Introduced in v3.19-rc5 (offending commit not backported anywhere), fixed in
v4.5-rc6 (fix not backported to any stable). The fix will be needed in

  SLE12-SP2 (-> SLE12-SP3, openSUSE-42.2)
  openSUSE-42.1 (-> SLE12-SP1-ARM)
Comment 5 Swamp Workflow Management 2016-12-08 12:15:13 UTC 
openSUSE-SU-2016:3050-1: An update that solves 12 vulnerabilities and has 75 fixes is now available.

Category: security (important)
Bug References: 1000118,1000433,1001171,1001310,1001486,1001888,1003813,1004052,1004365,1004517,1005169,1005666,1005745,1005917,1005921,1005925,1005929,1006175,1006576,1006809,1006827,1006915,1006918,1007197,1007615,1007653,1007955,1008831,1008979,1009062,1009454,1010040,1010158,1010444,1010478,1010507,1010665,1010690,1010970,1011176,1011685,1011913,1012060,1012094,1012452,1012477,1012754,1012767,1012829,1012992,1013479,1013533,1013700,799133,843661,914939,954986,963609,963655,963904,964462,966186,966191,966316,966318,966325,969476,969477,971975,972993,974313,978907,979681,983087,983318,985850,986255,987805,990384,991414,992555,993739,994881,995278,997059,997807,998054
CVE References: CVE-2015-1350,CVE-2015-8964,CVE-2016-7042,CVE-2016-7913,CVE-2016-7917,CVE-2016-8632,CVE-2016-8655,CVE-2016-8666,CVE-2016-9083,CVE-2016-9084,CVE-2016-9555,CVE-2016-9794
Sources used:
openSUSE Leap 42.2 (src):    kernel-debug-4.4.36-5.1, kernel-default-4.4.36-5.1, kernel-docs-4.4.36-5.3, kernel-obs-build-4.4.36-5.1, kernel-obs-qa-4.4.36-5.1, kernel-source-4.4.36-5.1, kernel-syms-4.4.36-5.1, kernel-vanilla-4.4.36-5.1
Comment 6 Michal Kubeček 2017-01-03 11:13:33 UTC 
The fix is now present in

    master              3.19.0
    stable              3.19.0
    SLE12-SP2           6ec477d7461e
    openSUSE-42.1       89b3866745ec 

Reassigning back to the security team.
Comment 7 Swamp Workflow Management 2017-01-17 18:24:35 UTC 
SUSE-SU-2017:0181-1: An update that solves 13 vulnerabilities and has 127 fixes is now available.

Category: security (important)
Bug References: 1000118,1000189,1000287,1000304,1000433,1000776,1001169,1001171,1001310,1001462,1001486,1001888,1002322,1002770,1002786,1003068,1003566,1003581,1003606,1003813,1003866,1003964,1004048,1004052,1004252,1004365,1004517,1005169,1005327,1005545,1005666,1005745,1005895,1005917,1005921,1005923,1005925,1005929,1006103,1006175,1006267,1006528,1006576,1006804,1006809,1006827,1006915,1006918,1007197,1007615,1007653,1007955,1008557,1008979,1009062,1009969,1010040,1010158,1010444,1010478,1010507,1010665,1010690,1010970,1011176,1011250,1011913,1012060,1012094,1012452,1012767,1012829,1012992,1013001,1013479,1013531,1013700,1014120,1014392,1014701,1014710,1015212,1015359,1015367,1015416,799133,914939,922634,963609,963655,963904,964462,966170,966172,966186,966191,966316,966318,966325,966471,969474,969475,969476,969477,969756,971975,971989,972993,974313,974842,974843,978907,979378,979681,981825,983087,983152,983318,985850,986255,986987,987641,987703,987805,988524,988715,990384,992555,993739,993841,993891,994881,995278,997059,997639,997807,998054,998689,999907,999932
CVE References: CVE-2015-1350,CVE-2015-8964,CVE-2016-7039,CVE-2016-7042,CVE-2016-7425,CVE-2016-7913,CVE-2016-7917,CVE-2016-8645,CVE-2016-8666,CVE-2016-9083,CVE-2016-9084,CVE-2016-9793,CVE-2016-9919
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    kernel-default-4.4.38-93.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    kernel-docs-4.4.38-93.3, kernel-obs-build-4.4.38-93.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    kernel-default-4.4.38-93.1, kernel-source-4.4.38-93.1, kernel-syms-4.4.38-93.1
SUSE Linux Enterprise Server 12-SP2 (src):    kernel-default-4.4.38-93.1, kernel-source-4.4.38-93.1, kernel-syms-4.4.38-93.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_4-1-2.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    kernel-default-4.4.38-93.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    kernel-default-4.4.38-93.1, kernel-source-4.4.38-93.1, kernel-syms-4.4.38-93.1
Comment 8 Swamp Workflow Management 2017-02-13 20:31:09 UTC 
openSUSE-SU-2017:0458-1: An update that solves 8 vulnerabilities and has 12 fixes is now available.

Category: security (important)
Bug References: 1003077,1007886,1009969,1010444,1011820,1013273,1013531,1013540,1013542,1017589,1017710,1019658,1019660,1019784,1020214,1020381,1021258,983348,987333,987576
CVE References: CVE-2016-10088,CVE-2016-10147,CVE-2016-7117,CVE-2016-7917,CVE-2016-8645,CVE-2016-9793,CVE-2016-9806,CVE-2017-5551
Sources used:
openSUSE Leap 42.1 (src):    kernel-debug-4.1.38-47.1, kernel-default-4.1.38-47.1, kernel-docs-4.1.38-47.2, kernel-ec2-4.1.38-47.1, kernel-obs-build-4.1.38-47.3, kernel-obs-qa-4.1.38-47.1, kernel-pae-4.1.38-47.1, kernel-pv-4.1.38-47.1, kernel-source-4.1.38-47.1, kernel-syms-4.1.38-47.1, kernel-vanilla-4.1.38-47.1, kernel-xen-4.1.38-47.1
Comment 9 Marcus Meissner 2017-03-02 13:16:04 UTC 
released