Bug 1118463 - (CVE-2018-19640) VUL-1: CVE-2018-19640: supportutils: Users can kill arbitrary processes
(CVE-2018-19640)
VUL-1: CVE-2018-19640: supportutils: Users can kill arbitrary processes
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Jason Record
Security Team bot
CVSSv3:SUSE:CVE-2018-19640:5.0:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-12-05 10:44 UTC by Johannes Segitz
Modified: 2021-01-17 08:06 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2018-12-05 10:44:16 UTC
In combination with CVE-2018-19638 you can kill arbitrary processes. For each process you like to kill create a *SEMAPHORE.pid file and add it to /tmp/hb-report.tar.bz2. List the pid you want to kill in the file, after a run of supportconfig it is killed in timed_cmd_cleanup
Comment 4 Johannes Segitz 2019-02-19 09:43:30 UTC
So there's a minimal risk of false positives, but I don't think that's a serious issue. So we're fine, thanks
Comment 6 Swamp Workflow Management 2019-02-25 20:12:51 UTC
SUSE-SU-2019:0480-1: An update that solves four vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 1043311,1046681,1051797,1071545,1105849,1112461,1115245,1117776,1118460,1118462,1118463,1125609,1125666
CVE References: CVE-2018-19637,CVE-2018-19638,CVE-2018-19639,CVE-2018-19640
Sources used:
SUSE Linux Enterprise Module for Basesystem 15 (src):    supportutils-3.1-5.7.1
Comment 7 Jason Record 2019-02-26 16:06:08 UTC
MR 185557 for SLE11 submitted
Comment 9 Swamp Workflow Management 2019-03-05 23:11:20 UTC
openSUSE-SU-2019:0293-1: An update that solves four vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 1043311,1046681,1051797,1071545,1105849,1112461,1115245,1117776,1118460,1118462,1118463,1125609,1125666
CVE References: CVE-2018-19637,CVE-2018-19638,CVE-2018-19639,CVE-2018-19640
Sources used:
openSUSE Leap 15.0 (src):    supportutils-3.1-lp150.4.3.1
Comment 10 Swamp Workflow Management 2019-03-12 23:10:25 UTC
SUSE-SU-2019:13976-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1117751,1118460,1118462,1118463
CVE References: CVE-2018-19636,CVE-2018-19638,CVE-2018-19639,CVE-2018-19640
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    supportutils-1.20-122.9.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    supportutils-1.20-122.9.1
Comment 11 Swamp Workflow Management 2019-04-30 19:17:48 UTC
SUSE-SU-2019:1122-1: An update that solves 5 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1054979,1099498,1115245,1117751,1117776,1118460,1118462,1118463,1125623,1125666
CVE References: CVE-2018-19636,CVE-2018-19637,CVE-2018-19638,CVE-2018-19639,CVE-2018-19640
Sources used:
SUSE OpenStack Cloud 7 (src):    hostinfo-1.0.1-19.5.1, supportutils-3.0-95.21.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    hostinfo-1.0.1-19.5.1, supportutils-3.0-95.21.1
SUSE Linux Enterprise Server 12-SP4 (src):    hostinfo-1.0.1-19.5.1, supportutils-3.0-95.21.1
SUSE Linux Enterprise Server 12-SP3 (src):    hostinfo-1.0.1-19.5.1, supportutils-3.0-95.21.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    hostinfo-1.0.1-19.5.1, supportutils-3.0-95.21.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    hostinfo-1.0.1-19.5.1, supportutils-3.0-95.21.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    hostinfo-1.0.1-19.5.1, supportutils-3.0-95.21.1
SUSE Linux Enterprise Server 12-LTSS (src):    hostinfo-1.0.1-19.5.1, supportutils-3.0-95.21.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    supportutils-3.0-95.21.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    supportutils-3.0-95.21.1
SUSE Enterprise Storage 4 (src):    hostinfo-1.0.1-19.5.1, supportutils-3.0-95.21.1
SUSE CaaS Platform ALL (src):    supportutils-3.0-95.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2019-05-08 19:11:00 UTC
openSUSE-SU-2019:1351-1: An update that solves 5 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1054979,1099498,1115245,1117751,1117776,1118460,1118462,1118463,1125623,1125666
CVE References: CVE-2018-19636,CVE-2018-19637,CVE-2018-19638,CVE-2018-19639,CVE-2018-19640
Sources used:
openSUSE Leap 42.3 (src):    hostinfo-1.0.1-21.3.1
Comment 13 Marcus Meissner 2021-01-17 08:06:45 UTC
close