Bug 1146312 - (CVE-2016-10905) VUL-0: CVE-2016-10905: kernel-source: use-after-free is caused by the functions gfs2_clear_rgrpd and read_rindex_entry
(CVE-2016-10905)
VUL-0: CVE-2016-10905: kernel-source: use-after-free is caused by the functio...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/240420/
CVSSv3:SUSE:CVE-2016-10905:5.3:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-20 08:44 UTC by Alexandros Toptsoglou
Modified: 2022-06-09 08:12 UTC (History)
11 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-08-20 08:44:27 UTC
CVE-2016-10905

An issue was discovered in fs/gfs2/rgrp.c in the Linux kernel before 4.8. A
use-after-free is caused by the functions gfs2_clear_rgrpd and
read_rindex_entry.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10905
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10905.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10905
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=36e4ad0316c017d5b271378ed9a1c9a4b77fab5f
Comment 6 Goldwyn Rodrigues 2022-02-03 17:34:21 UTC
Sorry, this fell off the radar.

GFS2 is supported RW from SLE12 onwards, so added to cve/linux-4.4 only.
Comment 7 Gianluca Gabrielli 2022-02-22 08:29:01 UTC
Thanks, can we expect this to be fixed with the next kernel update round?
Comment 8 Goldwyn Rodrigues 2022-02-22 21:36:13 UTC
(In reply to Gianluca Gabrielli from comment #7)
> Thanks, can we expect this to be fixed with the next kernel update round?

Yes, please look for the bug number in the changelog.
Comment 17 Swamp Workflow Management 2022-03-08 23:23:59 UTC
SUSE-SU-2022:0762-1: An update that solves 7 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1146312,1185973,1191580,1193731,1194463,1195536,1195543,1195612,1195908,1195939,1196079,1196612
CVE References: CVE-2016-10905,CVE-2021-0920,CVE-2022-0001,CVE-2022-0002,CVE-2022-0492,CVE-2022-0617,CVE-2022-24448
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    kernel-default-4.4.180-94.156.1, kernel-source-4.4.180-94.156.1, kernel-syms-4.4.180-94.156.1, kgraft-patch-SLE12-SP3_Update_43-1-4.3.1
SUSE OpenStack Cloud 8 (src):    kernel-default-4.4.180-94.156.1, kernel-source-4.4.180-94.156.1, kernel-syms-4.4.180-94.156.1, kgraft-patch-SLE12-SP3_Update_43-1-4.3.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    kernel-default-4.4.180-94.156.1, kernel-source-4.4.180-94.156.1, kernel-syms-4.4.180-94.156.1, kgraft-patch-SLE12-SP3_Update_43-1-4.3.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    kernel-default-4.4.180-94.156.1, kernel-source-4.4.180-94.156.1, kernel-syms-4.4.180-94.156.1, kgraft-patch-SLE12-SP3_Update_43-1-4.3.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    kernel-default-4.4.180-94.156.1, kernel-source-4.4.180-94.156.1, kernel-syms-4.4.180-94.156.1
SUSE Linux Enterprise High Availability 12-SP3 (src):    kernel-default-4.4.180-94.156.1
HPE Helion Openstack 8 (src):    kernel-default-4.4.180-94.156.1, kernel-source-4.4.180-94.156.1, kernel-syms-4.4.180-94.156.1, kgraft-patch-SLE12-SP3_Update_43-1-4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2022-03-09 00:18:09 UTC
SUSE-SU-2022:0756-1: An update that solves 7 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1146312,1190717,1191580,1193731,1194463,1195543,1195612,1195908,1195939,1196079,1196612
CVE References: CVE-2016-10905,CVE-2021-0920,CVE-2022-0001,CVE-2022-0002,CVE-2022-0492,CVE-2022-0617,CVE-2022-24448
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    kernel-default-4.4.121-92.169.1, kernel-source-4.4.121-92.169.1, kernel-syms-4.4.121-92.169.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Carlos López 2022-06-09 08:12:41 UTC
Done, closing.