Bugzilla – Bug 1032435
VUL-1: CVE-2016-10318: kernel-source: A missing authorization check in the fscrypt_process_policy function infs/crypto/policy.c in the ex...
Last modified: 2017-10-24 09:41:07 UTC
A missing authorization check in the fscrypt_process_policy function in
fs/crypto/policy.c in the ext4 and f2fs filesystem encryption support in the
Linux kernel before 4.7.4 allows a user to assign an encryption policy to a
directory owned by a different user, potentially creating a denial of service.
code does not exist in our 4.4 kernel of SLES 12 SP2.
The fscrypto versions don't exist, but the ext4 and f2fs versions do.
The good news is that they were already fixed via 4.4.22 in September.
They haven't been fixed in openSUSE 42.1, though.
The f2fs code didn't exist in 4.1, so the fix is only ext4.
SLE11 SP4: unaffected (no vulnerability)
SLE12 GA/SP1: unaffected (no vulnerability)
SLE12 SP2/SP3: fixed (stable)
openSUSE 42.1: patch applied
openSUSE 42.2/42.3: fixed (stable, inherited via SLE12 SP2)
Tumbleweed: unaffected (fixed in upstream release older than current TW kernel release)
This is an autogenerated message for OBS integration:
This bug (1032435) was mentioned in
https://build.opensuse.org/request/show/492423 42.1 / kernel-source
openSUSE-SU-2017:1215-1: An update that solves 8 vulnerabilities and has 7 fixes is now available.
Category: security (important)
Bug References: 1012829,1012876,1028415,1030213,1031003,1031052,1031440,1031579,1032435,1033336,1033340,1033518,1034670,930399,970083
CVE References: CVE-2016-10318,CVE-2017-2671,CVE-2017-7187,CVE-2017-7261,CVE-2017-7294,CVE-2017-7308,CVE-2017-7616,CVE-2017-7618
openSUSE Leap 42.1 (src): kernel-debug-4.1.39-56.1, kernel-default-4.1.39-56.1, kernel-docs-4.1.39-56.2, kernel-ec2-4.1.39-56.1, kernel-obs-build-4.1.39-56.3, kernel-obs-qa-4.1.39-56.1, kernel-pae-4.1.39-56.1, kernel-pv-4.1.39-56.1, kernel-source-4.1.39-56.1, kernel-syms-4.1.39-56.1, kernel-vanilla-4.1.39-56.1, kernel-xen-4.1.39-56.1