【CESA-2017:1206】An update for qemu-kvm is now available for Red Hat Enterprise Linux 6

CESA-2017:1206

An update for qemu-kvm is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux
on a variety of architectures. The qemu-kvm package provides the user-space
component for running virtual machines that use KVM.

Security Fix(es):

* A heap buffer overflow flaw was found in QEMU’s Cirrus CLGD 54xx VGA
emulator’s VNC display driver support; the issue could occur when a VNC client
attempted to update its display after a VGA operation is performed by a guest. A
privileged user/process inside a guest could use this flaw to crash the QEMU
process or, potentially, execute arbitrary code on the host with privileges of
the QEMU process. (CVE-2016-9603)

* An out-of-bounds r/w access issue was found in QEMU’s Cirrus CLGD 54xx VGA
Emulator support. The vulnerability could occur while copying VGA data via
various bitblt functions. A privileged user inside a guest could use this flaw
to crash the QEMU process or, potentially, execute arbitrary code on the host
with privileges of the QEMU process. (CVE-2017-7980)

* An out-of-bounds memory access issue was found in QEMU’s VNC display driver
support. The vulnerability could occur while refreshing the VNC display surface
area in the ‘vnc_refresh_server_surface’. A user/process inside a guest could
use this flaw to crash the QEMU process, resulting in a denial of service.
(CVE-2017-2633)

* An out-of-bounds access issue was found in QEMU’s Cirrus CLGD 54xx VGA
Emulator support. The vulnerability could occur while copying VGA data using
bitblt functions (for example, cirrus_bitblt_rop_fwd_transp_). A privileged user
inside a guest could use this flaw to crash the QEMU process, resulting in
denial of service. (CVE-2017-7718)

Red Hat would like to thank Jiangxin (PSIRT Huawei Inc.) and Li Qiang (Qihoo 360
Gear Team) for reporting CVE-2017-7980 and Jiangxin (PSIRT Huawei Inc.) for
reporting CVE-2017-7718.

Bugs Fixed

1400438 – CVE-2017-2633 qemu-kvm coredump in vnc_refresh_server_surface [rhel-6.9.z]
1425939 – CVE-2017-2633 Qemu: VNC: memory corruption due to unchecked resolution limit
1430056 – CVE-2016-9603 Qemu: cirrus: heap buffer overflow via vnc connection
1437060 – Fails to build in brew
1443441 – CVE-2017-7718 Qemu: display: cirrus: OOB read access issue
1444371 – CVE-2017-7980 Qemu: display: cirrus: OOB r/w access issues in bitblt routines

【CESA-2017:1201】An update for thunderbird is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7

CESA-2017:1201

An update for thunderbird is now available for Red Hat Enterprise Linux 6 and
Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 52.1.0.

Security Fix(es):

* Multiple flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird. (CVE-2017-5429, CVE-2017-5433, CVE-2017-5435, CVE-2017-5436,
CVE-2017-5459, CVE-2017-5466, CVE-2017-5432, CVE-2017-5434, CVE-2017-5438,
CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5443,
CVE-2017-5444, CVE-2017-5446, CVE-2017-5447, CVE-2017-5454, CVE-2017-5460,
CVE-2017-5464, CVE-2017-5465, CVE-2017-5469, CVE-2016-10195, CVE-2016-10196,
CVE-2017-5445, CVE-2017-5449, CVE-2017-5451, CVE-2017-5467, CVE-2016-10197)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Petr Cerny, Nils, Ivan Fratric (Google Project Zero),
Takeshi Terada, Heather Miller (Google Skia team), Chun Han Hsiao, Chamal De
Silva, Nicolas Grégoire, Holger Fuhrmannek, Atte Kettunen, Haik Aftandilian, and
Jordi Chancel as the original reporters.

Bugs Fixed

1418608 – CVE-2016-10195 libevent: Stack-buffer overflow in the name_parse() function
1418611 – CVE-2016-10196 libevent: Stack-buffer overflow in evutil_parse_sockaddr_port()
1418612 – CVE-2016-10197 libevent: Out-of-bounds read in search_make_new()
1443298 – CVE-2017-5442 Mozilla: Use-after-free during style changes (MFSA 2017-11, MFSA 2017-12)
1443299 – CVE-2017-5443 Mozilla: Out-of-bounds write during BinHex decoding (MFSA 2017-11, MFSA 2017-12)
1443301 – CVE-2017-5429 Mozilla: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1 (MFSA 2017-11, MFSA 2017-12)
1443303 – CVE-2017-5464 Mozilla: Memory corruption with accessibility and DOM manipulation (MFSA 2017-11, MFSA 2017-12)
1443304 – CVE-2017-5465 Mozilla: Out-of-bounds read in ConvolvePixel (MFSA 2017-11, MFSA 2017-12)
1443305 – CVE-2017-5466 Mozilla: Origin confusion when reloading isolated data:text/html URL (MFSA 2017-12)
1443307 – CVE-2017-5467 Mozilla: Memory corruption when drawing Skia content (MFSA 2017-12)
1443308 – CVE-2017-5460 Mozilla: Use-after-free in frame selection (MFSA 2017-11, MFSA 2017-12)
1443311 – CVE-2017-5449 Mozilla: Crash during bidirectional unicode manipulation with animation (MFSA 2017-11, MFSA 2017-12)
1443312 – CVE-2017-5446 Mozilla: Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data (MFSA 2017-11, MFSA 2017-12)
1443313 – CVE-2017-5447 Mozilla: Out-of-bounds read during glyph processing (MFSA 2017-11, MFSA 2017-12)
1443314 – CVE-2017-5444 Mozilla: Buffer overflow while parsing application/http-index-format content (MFSA 2017-11, MFSA 2017-12)
1443315 – CVE-2017-5445 Mozilla: Uninitialized values used while parsing application/http-index-format content (MFSA 2017-11, MFSA 2017-12)
1443317 – CVE-2017-5469 Mozilla: Potential Buffer overflow in flex-generated code (MFSA 2017-11, MFSA 2017-12)
1443322 – CVE-2017-5440 Mozilla: Use-after-free in txExecutionState destructor during XSLT processing (MFSA 2017-11, MFSA 2017-12)
1443323 – CVE-2017-5441 Mozilla: Use-after-free with selection during scroll events (MFSA 2017-11, MFSA 2017-12)
1443324 – CVE-2017-5439 Mozilla: Use-after-free in nsTArray Length() during XSLT processing (MFSA 2017-11, MFSA 2017-12)
1443325 – CVE-2017-5438 Mozilla: Use-after-free in nsAutoPtr during XSLT processing (MFSA 2017-11, MFSA 2017-12)
1443327 – CVE-2017-5436 Mozilla: Out-of-bounds write with malicious font in Graphite 2 (MFSA 2017-11, MFSA 2017-12)
1443328 – CVE-2017-5435 Mozilla: Use-after-free during transaction processing in the editor (MFSA 2017-11, MFSA 2017-12)
1443329 – CVE-2017-5434 Mozilla: Use-after-free during focus handling (MFSA 2017-11, MFSA 2017-12)
1443330 – CVE-2017-5433 Mozilla: Use-after-free in SMIL animation functions (MFSA 2017-11, MFSA 2017-12)
1443332 – CVE-2017-5432 Mozilla: Use-after-free in text input selection (MFSA 2017-11, MFSA 2017-12)
1443333 – CVE-2017-5459 Mozilla: Buffer overflow in WebGL (MFSA 2017-11, MFSA 2017-12)
1443338 – CVE-2017-5454 Mozilla: Sandbox escape allowing file system read access through file picker (MFSA 2017-12)
1443340 – CVE-2017-5451 Mozilla: Addressbar spoofing with onblur event (MFSA 2017-12)

【CESA-2017:1202】An update for bind is now available for Red Hat Enterprise Linux 6

CESA-2017:1202

An update for bind is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name
System (DNS) protocols. BIND includes a DNS server (named); a resolver library
(routines for applications to use when interfacing with DNS); and tools for
verifying that the DNS server is operating correctly.

Security Fix(es):

* A denial of service flaw was found in the way BIND handled DNSSEC validation.
A remote attacker could use this flaw to make named exit unexpectedly with an
assertion failure via a specially crafted DNS response. (CVE-2017-3139)

Note: This issue affected only the BIND versions as shipped with Red Hat
Enterprise Linux 6. This issue did not affect any upstream versions of BIND.

Bugs Fixed

1447743 – CVE-2017-3139 bind: assertion failure in DNSSEC validation

【CESA-2017:1108】An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 7

CESA-2017:1108

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux
7.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment
and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* An untrusted library search path flaw was found in the JCE component of
OpenJDK. A local attacker could possibly use this flaw to cause a Java
application using JCE to load an attacker-controlled library and hence escalate
their privileges. (CVE-2017-3511)

* It was found that the JAXP component of OpenJDK failed to correctly enforce
parse tree size limits when parsing XML document. An attacker able to make a
Java application parse a specially crafted XML document could use this flaw to
make it consume an excessive amount of CPU and memory. (CVE-2017-3526)

* It was discovered that the HTTP client implementation in the Networking
component of OpenJDK could cache and re-use an NTLM authenticated connection in
a different security context. A remote attacker could possibly use this flaw to
make a Java application perform HTTP requests authenticated with credentials of
a different user. (CVE-2017-3509)

Note: This update adds support for the “jdk.ntlm.cache” system property which,
when set to false, prevents caching of NTLM connections and authentications and
hence prevents this issue. However, caching remains enabled by default.

* It was discovered that the Security component of OpenJDK did not allow users
to restrict the set of algorithms allowed for Jar integrity verification. This
flaw could allow an attacker to modify content of the Jar file that used weak
signing key or hash algorithm. (CVE-2017-3539)

Note: This updates extends the fix for CVE-2016-5542 released as part of the
RHSA-2016:2079 erratum to no longer allow the MD5 hash algorithm during the Jar
integrity verification by adding it to the jdk.jar.disabledAlgorithms security
property.

* Newline injection flaws were discovered in FTP and SMTP client implementations
in the Networking component in OpenJDK. A remote attacker could possibly use
these flaws to manipulate FTP or SMTP connections established by a Java
application. (CVE-2017-3533, CVE-2017-3544)

Note: If the web browser plug-in provided by the icedtea-web package was
installed, the issues exposed via Java applets could have been exploited without
user interaction if a user visited a malicious website.

Bug Fix(es):

* When a method is called using the Java Debug Wire Protocol (JDWP)
“invokeMethod” command in a target Java virtual machine, JDWP creates global
references for every Object that is implied in the method invocation, as well as
for the returned argument of the reference type. Previously, the global
references created for such arguments were not collected (deallocated) by the
garbage collector after “invokeMethod” finished. This consequently caused memory
leaks, and because references to such objects were never released, the debugged
application could be terminated with an Out of Memory error. This bug has been
fixed, and the described problem no longer occurs. (BZ#1442162)

Bugs Fixed

1442162 – Using jdb triggers OOME on the debugged application
1443007 – CVE-2017-3511 OpenJDK: untrusted extension directories search path in Launcher (JCE, 8163528)
1443052 – CVE-2017-3509 OpenJDK: improper re-use of NTLM authenticated connections (Networking, 8163520)
1443068 – CVE-2017-3544 OpenJDK: newline injection in the SMTP client (Networking, 8171533)
1443083 – CVE-2017-3533 OpenJDK: newline injection in the FTP client (Networking, 8170222)
1443097 – CVE-2017-3539 OpenJDK: MD5 allowed for jar verification (Security, 8171121)
1443252 – CVE-2017-3526 OpenJDK: incomplete XML parse tree size enforcement (JAXP, 8169011)

 

【CESA-2017:1106】An update for firefox is now available for Red Hat Enterprise Linux 7

CESA-2017:1106

An update for firefox is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Mozilla Firefox is an open source web browser.

This update upgrades Firefox to version 52.1.0 ESR.

Security Fix(es):

* Multiple flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or, potentially,
execute arbitrary code with the privileges of the user running Firefox.
(CVE-2017-5429, CVE-2017-5430, CVE-2017-5432, CVE-2017-5433, CVE-2017-5434,
CVE-2017-5435, CVE-2017-5436, CVE-2017-5437, CVE-2017-5438, CVE-2017-5439,
CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5443, CVE-2017-5444,
CVE-2017-5445, CVE-2017-5446, CVE-2017-5447, CVE-2017-5448, CVE-2017-5449,
CVE-2017-5451, CVE-2017-5454, CVE-2017-5455, CVE-2017-5456, CVE-2017-5459,
CVE-2017-5460, CVE-2017-5464, CVE-2017-5465, CVE-2017-5466, CVE-2017-5467,
CVE-2017-5469)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Mozilla developers and community, Nils, Holger Fuhrmannek,
Atte Kettunen, Takeshi Terada, Huzaifa Sidhpurwala, Nicolas Grégoire, Chamal De
Silva, Chun Han Hsiao, Ivan Fratric of Google Project Zero, Anonymous working
with Trend Micro’s Zero Day Initiative, Haik Aftandilian, Paul Theriault, Julian
Hector, Petr Cerny, Jordi Chancel, and Heather Miller of Google Skia team as the
original reporters.

Bugs Fixed

1443297 – CVE-2017-5456 Mozilla: Sandbox escape allowing local file system read access (MFSA 2017-12)
1443298 – CVE-2017-5442 Mozilla: Use-after-free during style changes (MFSA 2017-11, MFSA 2017-12)
1443299 – CVE-2017-5443 Mozilla: Out-of-bounds write during BinHex decoding (MFSA 2017-11, MFSA 2017-12)
1443301 – CVE-2017-5429 Mozilla: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1 (MFSA 2017-11, MFSA 2017-12)
1443303 – CVE-2017-5464 Mozilla: Memory corruption with accessibility and DOM manipulation (MFSA 2017-11, MFSA 2017-12)
1443304 – CVE-2017-5465 Mozilla: Out-of-bounds read in ConvolvePixel (MFSA 2017-11, MFSA 2017-12)
1443305 – CVE-2017-5466 Mozilla: Origin confusion when reloading isolated data:text/html URL (MFSA 2017-12)
1443307 – CVE-2017-5467 Mozilla: Memory corruption when drawing Skia content (MFSA 2017-12)
1443308 – CVE-2017-5460 Mozilla: Use-after-free in frame selection (MFSA 2017-11, MFSA 2017-12)
1443310 – CVE-2017-5448 Mozilla: Out-of-bounds write in ClearKeyDecryptor (MFSA 2017-11, MFSA 2017-12)
1443311 – CVE-2017-5449 Mozilla: Crash during bidirectional unicode manipulation with animation (MFSA 2017-11, MFSA 2017-12)
1443312 – CVE-2017-5446 Mozilla: Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data (MFSA 2017-11, MFSA 2017-12)
1443313 – CVE-2017-5447 Mozilla: Out-of-bounds read during glyph processing (MFSA 2017-11, MFSA 2017-12)
1443314 – CVE-2017-5444 Mozilla: Buffer overflow while parsing application/http-index-format content (MFSA 2017-11, MFSA 2017-12)
1443315 – CVE-2017-5445 Mozilla: Uninitialized values used while parsing application/http-index-format content (MFSA 2017-11, MFSA 2017-12)
1443317 – CVE-2017-5469 Mozilla: Potential Buffer overflow in flex-generated code (MFSA 2017-11, MFSA 2017-12)
1443322 – CVE-2017-5440 Mozilla: Use-after-free in txExecutionState destructor during XSLT processing (MFSA 2017-11, MFSA 2017-12)
1443323 – CVE-2017-5441 Mozilla: Use-after-free with selection during scroll events (MFSA 2017-11, MFSA 2017-12)
1443324 – CVE-2017-5439 Mozilla: Use-after-free in nsTArray Length() during XSLT processing (MFSA 2017-11, MFSA 2017-12)
1443325 – CVE-2017-5438 Mozilla: Use-after-free in nsAutoPtr during XSLT processing (MFSA 2017-11, MFSA 2017-12)
1443326 – CVE-2017-5437 Mozilla: Vulnerabilities in libevent library (MFSA 2017-11, MFSA 2017-12)
1443327 – CVE-2017-5436 Mozilla: Out-of-bounds write with malicious font in Graphite 2 (MFSA 2017-11, MFSA 2017-12)
1443328 – CVE-2017-5435 Mozilla: Use-after-free during transaction processing in the editor (MFSA 2017-11, MFSA 2017-12)
1443329 – CVE-2017-5434 Mozilla: Use-after-free during focus handling (MFSA 2017-11, MFSA 2017-12)
1443330 – CVE-2017-5433 Mozilla: Use-after-free in SMIL animation functions (MFSA 2017-11, MFSA 2017-12)
1443331 – CVE-2017-5430 Mozilla: Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1 (MFSA 2017-12)
1443332 – CVE-2017-5432 Mozilla: Use-after-free in text input selection (MFSA 2017-11, MFSA 2017-12)
1443333 – CVE-2017-5459 Mozilla: Buffer overflow in WebGL (MFSA 2017-11, MFSA 2017-12)
1443334 – CVE-2017-5455 Mozilla: Sandbox escape through internal feed reader APIs (MFSA 2017-12)
1443338 – CVE-2017-5454 Mozilla: Sandbox escape allowing file system read access through file picker (MFSA 2017-12)
1443340 – CVE-2017-5451 Mozilla: Addressbar spoofing with onblur event (MFSA 2017-12)

【CESA-2017:1100】An update for nss and nss-util is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7

CESA-2017:1100

An update for nss and nss-util is now available for Red Hat Enterprise Linux 6
and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Network Security Services (NSS) is a set of libraries designed to support the
cross-platform development of security-enabled client and server applications.

The nss-util packages provide utilities for use with the Network Security
Services (NSS) libraries.

The following packages have been upgraded to a newer upstream version: nss
(3.28.4), nss-util (3.28.4).

Security Fix(es):

* An out-of-bounds write flaw was found in the way NSS performed certain
Base64-decoding operations. An attacker could use this flaw to create a
specially crafted certificate which, when parsed by NSS, could cause it to crash
or execute arbitrary code, using the permissions of the user running an
application compiled against the NSS library. (CVE-2017-5461)

Red Hat would like to thank the Mozilla project for reporting this issue.
Upstream acknowledges Ronald Crane as the original reporter.

Bugs Fixed

1440080 – CVE-2017-5461 nss: Write beyond bounds caused by bugs in Base64 de/encoding in nssb64d.c and nssb64e.c (MFSA 2017-10)

【CESA-2017:1095】An update for bind is now available for Red Hat Enterprise Linux 7

CESA-2017:1095

An update for bind is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name
System (DNS) protocols. BIND includes a DNS server (named); a resolver library
(routines for applications to use when interfacing with DNS); and tools for
verifying that the DNS server is operating correctly.

Security Fix(es):

* A denial of service flaw was found in the way BIND handled a query response
containing CNAME or DNAME resource records in an unusual order. A remote
attacker could use this flaw to make named exit unexpectedly with an assertion
failure via a specially crafted DNS response. (CVE-2017-3137)

* A denial of service flaw was found in the way BIND handled query requests when
using DNS64 with “break-dnssec yes” option. A remote attacker could use this
flaw to make named exit unexpectedly with an assertion failure via a specially
crafted DNS request. (CVE-2017-3136)

Red Hat would like to thank ISC for reporting these issues. Upstream
acknowledges Oleg Gorokhov (Yandex) as the original reporter of CVE-2017-3136.

Bugs Fixed

1441125 – CVE-2017-3136 bind: Incorrect error handling causes assertion failure when using DNS64 with “break-dnssec yes;”
1441133 – CVE-2017-3137 bind: Processing a response containing CNAME or DNAME with unusual order can crash resolver

【CESA-2017:0987】An update for qemu-kvm is now available for Red Hat Enterprise Linux 7

CESA-2017:0987

An update for qemu-kvm is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux
on a variety of architectures. The qemu-kvm packages provide the user-space
component for running virtual machines that use KVM.

Security Fix(es):

* A heap buffer overflow flaw was found in QEMU’s Cirrus CLGD 54xx VGA
emulator’s VNC display driver support; the issue could occur when a VNC client
attempted to update its display after a VGA operation is performed by a guest. A
privileged user/process inside a guest could use this flaw to crash the QEMU
process or, potentially, execute arbitrary code on the host with privileges of
the QEMU process. (CVE-2016-9603)

Bugs Fixed

1430056 – CVE-2016-9603 Qemu: cirrus: heap buffer overflow via vnc connection

【CESA-2017:0979】An update for libreoffice is now available for Red Hat Enterprise Linux 6

CESA-2017:0979

An update for libreoffice is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

LibreOffice is an open source, community-developed office productivity suite. It
includes key desktop applications, such as a word processor, a spreadsheet, a
presentation manager, a formula editor, and a drawing program. LibreOffice
replaces OpenOffice and provides a similar but enhanced and extended office
suite.

Security Fix(es):

* It was found that LibreOffice disclosed contents of a file specified in an
embedded object’s preview. An attacker could potentially use this flaw to expose
details of a system running LibreOffice as an online service via a crafted
document. (CVE-2017-3157)

Bugs Fixed

1425844 – CVE-2017-3157 libreoffice: Arbitrary file disclosure in Calc and Writer

【CESA-2017:0933】An update for kernel is now available for Red Hat Enterprise Linux 7

CESA-2017:0933

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating
system.

These updated kernel packages include several security issues and numerous bug
fixes. Space precludes documenting all of these bug fixes in this advisory. To
see the complete list of bug fixes, users are directed to the related Knowledge
Article: https://access.redhat.com/articles/2986951.

Security Fix(es):

* A race condition flaw was found in the N_HLDC Linux kernel driver when
accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged
user able to set the HDLC line discipline on the tty device could use this flaw
to increase their privileges on the system. (CVE-2017-2636, Important)

* A flaw was found in the Linux kernel key management subsystem in which a local
attacker could crash the kernel or corrupt the stack and additional memory
(denial of service) by supplying a specially crafted RSA key. This flaw panics
the machine during the verification of the RSA key. (CVE-2016-8650, Moderate)

* A flaw was found in the Linux kernel’s implementation of setsockopt for the
SO_{SND|RCV}BUFFORCE setsockopt() system call. Users with non-namespace
CAP_NET_ADMIN are able to trigger this call and create a situation in which the
sockets sendbuff data size could be negative. This could adversely affect memory
allocations and create situations where the system could crash or cause memory
corruption. (CVE-2016-9793, Moderate)

* A flaw was found in the Linux kernel’s handling of clearing SELinux attributes
on /proc/pid/attr files. An empty (null) write to this file can crash the system
by causing the system to attempt to access unmapped kernel memory.
(CVE-2017-2618, Moderate)

Red Hat would like to thank Alexander Popov for reporting CVE-2017-2636 and Ralf
Spenneberg for reporting CVE-2016-8650. The CVE-2017-2618 issue was discovered
by Paul Moore (Red Hat Engineering).

Bugs Fixed

1395187 – CVE-2016-8650 kernel: Null pointer dereference via keyctl
1402013 – CVE-2016-9793 kernel: Signed overflow for SO_{SND|RCV}BUFFORCE
1419916 – CVE-2017-2618 kernel: Off-by-one error in selinux_setprocattr (/proc/self/attr/fscreate)
1428319 – CVE-2017-2636 kernel: Race condition access to n_hdlc.tbuf causes double free in n_hdlc_release()