Bug 919655 (CVE-2015-0274)

Summary: VUL-0: CVE-2015-0274: kernel: xfs: Unprivileged local user can leak kernel memory
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Jeff Mahoney <jeffm>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: bpetkov, jack, mhocko
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:RedHat:CVE-2015-0274:6.9:(AV:L/AC:M/Au:N/C:C/I:C/A:C) CVSSv2:NVD:CVE-2015-0274:7.2:(AV:L/AC:L/Au:N/C:C/I:C/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 3 Swamp Workflow Management 2015-02-26 23:00:47 UTC
bugbot adjusting priority
Comment 5 Jan Kara 2015-03-02 09:02:55 UTC
Yeah, this affects only kernels between 3.11 and 3.14 (inclusive). SLE12 branch already has the fix, and 13.2 kernel has the fix from upstream. So the only branch missing the fix is openSUSE-13.1. I'll take care of pushing the fix there.
Comment 6 Jan Kara 2015-03-02 09:11:27 UTC
OK, pushed the fix to openSUSE-13.1 branch.
Comment 7 Marcus Meissner 2015-03-05 12:08:24 UTC
public now.
Comment 8 Jan Kara 2015-04-08 12:54:59 UTC
AFAICT this can be closed. We have the patch in all the relevant branches. Marcus?
Comment 9 Jan Kara 2015-05-18 12:16:17 UTC
Closing the bug since the patch is everywhere for over two months.
Comment 10 Marcus Meissner 2015-09-09 15:25:16 UTC
In SLE12 branch:

patches.fixes/xfs-remote-attribute-overwrite-causes-transaction-o.patch

commit 72b7a0cf0cee4d8e4107fbb9e6db39a51943bc61
Author: Jan Kara <jack@suse.cz>
Date:   Thu May 22 19:23:36 2014 +0200

    xfs: remote attribute overwrite causes transaction overrun.


-> This was fixed before the release.
Comment 11 Marcus Meissner 2015-09-09 15:26:39 UTC
perl bin/addnote CVE-2015-0274 "This issue affected Linux Kernel 3.11 up to 3.14. The SUSE Linux Enterprise 12 kernel was fixed before the GA shipment. Older SUSE Linux Enterprise versions are not affected."