Bug 1032268 - (CVE-2016-10229) VUL-0: CVE-2016-10229: kernel-source: udp.c in the Linux kernel before 4.5 allows remote attackers to executearbitrary code via UDP traff...
VUL-0: CVE-2016-10229: kernel-source: udp.c in the Linux kernel before 4.5 al...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Major
: ---
Assigned To: Michal Kubeček
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2017-04-04 09:44 UTC by Marcus Meissner
Modified: 2019-08-16 15:26 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-04-04 09:44:27 UTC

udp.c in the Linux kernel before 4.5 allows remote attackers to execute
arbitrary code via UDP traffic that triggers an unsafe second checksum
calculation during execution of a recv system call with the MSG_PEEK flag.

Comment 1 Marcus Meissner 2017-04-04 09:47:18 UTC
Michal ? Can you enlighten us quickly on this please.

Might just be in the stable kernel that android uses?
Comment 2 Marcus Meissner 2017-04-04 09:50:34 UTC
this seems to be a duplicate of bug 952587  aka CVE-2015-8019
Comment 3 Michal Kubeček 2017-04-04 10:12:01 UTC
I would rather say bsc#959364 but it's a bit complicated as there was a series
of three issues and (mainline) commit 197c949e7798 was create in response to
the last one but it actually works as a fix for the previous one as well.

Anyway, we already have it in cve/linux-3.12 via 3.12.53 stable update.
We also have it in SLE12-SP2 (via 4.4.21) but on kernels >= 3.19 it's rather
an optimization. The real problem only existed on kernels < 3.19 (before the
code was rewritten) where mainline commit 89c22d8c3b27 was backported.
At the moment, this only means cve/linux-3.12 and its consumers.

There is a possibility that also kernels >= 3.19 might be affected by some
security problem addressed by this patch which wasn't apparent at the time
it was submitted so I better check linked documents. The only branch that
would require a backport in such case would be openSUSE-42.1.
Comment 4 Marcus Meissner 2017-04-13 13:10:28 UTC
can you tag the stable commits in our trees? bin/addnote CVE-2016-10229  "This issue was fixed in the Linux Kernel 4.4.21 stable release, and so was fixed before SUSE Linux Enterprise Server 12 SP2 shipment. This issue was fixed in Linux Kernel 3.12.53 for SUSE Linux Enterprise Server 12 and 12 SP1. The problem does not affect Liunux Kernel 3.0 and older, so SUSE Linux Enterprise 11 and older products are not affected."
Comment 6 Michal Kubeček 2017-04-27 06:13:44 UTC
I added the references to cve/linux-3.12 branch. I'm kind of reluctant to add
them to 4.4 kernels as the issue (both the original one and the two follow-ups)
never actually existed in any kernel >= 3.19. The issue(s) only existed in
stable branches not containing Al Viro's rewrite (which came with 3.19) and
only after they received the backport of mainline commit 89c22d8c3b27 (which
was perfectly fine in 4.2-rc4 but caused problems when backported to pre-3.19
kernels). The reason why 197c949e7798 was added to mainline was optimization
(it prevents calculating the checksum twice for some packets).

But if the reference is needed to silence customers and their changelog based
check scripts, it wouldn't do any harm either (even if would be technically
Comment 8 Marcus Meissner 2017-05-10 16:26:19 UTC
Note from security:

This issue was fixed in the 3.12.53 stable update, without this CVE specifically mentioned. Newer 3.12.x kernels are not affected.
Comment 9 Swamp Workflow Management 2017-11-02 17:13:57 UTC
SUSE-SU-2017:2920-1: An update that solves 36 vulnerabilities and has 22 fixes is now available.

Category: security (important)
Bug References: 1008353,1012422,1017941,1029850,1030593,1032268,1034405,1034670,1035576,1035877,1036752,1037182,1037183,1037306,1037994,1038544,1038879,1038981,1038982,1039348,1039349,1039354,1039456,1039721,1039882,1039883,1039885,1040069,1041431,1041958,1044125,1045327,1045487,1045922,1046107,1047408,1048275,1049645,1049882,1052593,1053148,1053152,1056588,1056982,1057179,1058038,1058410,1058507,1058524,1062520,1063667,1064388,938162,975596,977417,984779,985562,990682
CVE References: CVE-2015-9004,CVE-2016-10229,CVE-2016-9604,CVE-2017-1000363,CVE-2017-1000365,CVE-2017-1000380,CVE-2017-10661,CVE-2017-11176,CVE-2017-12153,CVE-2017-12154,CVE-2017-12762,CVE-2017-13080,CVE-2017-14051,CVE-2017-14106,CVE-2017-14140,CVE-2017-15265,CVE-2017-15274,CVE-2017-15649,CVE-2017-2647,CVE-2017-6951,CVE-2017-7482,CVE-2017-7487,CVE-2017-7518,CVE-2017-7541,CVE-2017-7542,CVE-2017-7889,CVE-2017-8106,CVE-2017-8831,CVE-2017-8890,CVE-2017-8924,CVE-2017-8925,CVE-2017-9074,CVE-2017-9075,CVE-2017-9076,CVE-2017-9077,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    kernel-default-3.12.61-52.101.1, kernel-source-3.12.61-52.101.1, kernel-syms-3.12.61-52.101.1, kernel-xen-3.12.61-52.101.1, kgraft-patch-SLE12_Update_28-1-8.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.61-52.101.1
Comment 10 Marcus Meissner 2018-02-09 06:29:32 UTC