Security update for util-linux

Announcement ID:	SUSE-SU-2017:0553-1
Rating:	important
References:	bsc#1008965 bsc#1012504 bsc#1012632 bsc#1019332 bsc#1020077 bsc#1023041 bsc#947494 bsc#966891 bsc#978993 bsc#982331 bsc#983164 bsc#987176 bsc#988361
Cross-References:	CVE-2016-5011 CVE-2017-2616
CVSS scores:	CVE-2016-5011 ( NVD ): 4.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-5011 ( NVD ): 4.3 CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-2616 ( NVD ): 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 LTSS 12 SUSE Linux Enterprise Server for SAP Applications 12

An update that solves two vulnerabilities and has 11 security fixes can now be installed.

Description:

This update for util-linux fixes a number of bugs and two security issues.

The following security bugs were fixed:

• CVE-2016-5011: Infinite loop DoS in libblkid while parsing DOS partition (bsc#988361)
• CVE-2017-2616: In su with PAM support it was possible for local users to send SIGKILL to selected other processes with root privileges (bsc#1023041).

The following non-security bugs were fixed:

• bsc#1008965: Ensure that the option "users,exec,dev,suid" work as expected on NFS mounts
• bsc#1012504: Fix regressions in safe loop re-use patch set for libmount
• bsc#1012632: Disable ro checks for mtab
• bsc#1020077: fstrim: De-duplicate btrfs sub-volumes for "fstrim -a" and bind mounts
• bsc#947494: mount -a would fail to recognize btrfs already mounted, address loop re-use in libmount
• bsc#966891: Conflict in meaning of losetup -L. This switch in SLE12 SP1 and SP2 continues to carry the meaning of --logical-blocksize instead of upstream --nooverlap
• bsc#978993: cfdisk would mangle some text output
• bsc#982331: libmount: ignore redundant slashes
• bsc#983164: mount uid= and gid= would reject valid non UID/GID values
• bsc#987176: When mounting a subfolder of a CIFS share, mount -a would show the mount as busy
• bsc#1019332: lscpu: Implement WSL detection and work around crash

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server for SAP Applications 12
  zypper in -t patch SUSE-SLE-SAP-12-2017-290=1
• SUSE Linux Enterprise Server 12 LTSS 12
  zypper in -t patch SUSE-SLE-SERVER-12-2017-290=1

Package List:

• SUSE Linux Enterprise Server for SAP Applications 12 (x86_64)
  • libblkid1-debuginfo-2.25-24.10.1
  • libblkid1-32bit-2.25-24.10.1
  • libmount1-debuginfo-32bit-2.25-24.10.1
  • libblkid1-2.25-24.10.1
  • util-linux-debugsource-2.25-24.10.1
  • libuuid1-32bit-2.25-24.10.1
  • libsmartcols1-2.25-24.10.1
  • util-linux-2.25-24.10.1
  • libuuid1-debuginfo-2.25-24.10.1
  • python-libmount-debugsource-2.25-24.10.3
  • libmount1-2.25-24.10.1
  • python-libmount-2.25-24.10.3
  • libblkid1-debuginfo-32bit-2.25-24.10.1
  • uuidd-2.25-24.10.1
  • python-libmount-debuginfo-2.25-24.10.3
  • libmount1-debuginfo-2.25-24.10.1
  • util-linux-systemd-2.25-24.10.1
  • util-linux-systemd-debugsource-2.25-24.10.1
  • util-linux-systemd-debuginfo-2.25-24.10.1
  • libsmartcols1-debuginfo-2.25-24.10.1
  • libmount1-32bit-2.25-24.10.1
  • uuidd-debuginfo-2.25-24.10.1
  • util-linux-debuginfo-2.25-24.10.1
  • libuuid1-debuginfo-32bit-2.25-24.10.1
  • libuuid1-2.25-24.10.1
• SUSE Linux Enterprise Server for SAP Applications 12 (noarch)
  • util-linux-lang-2.25-24.10.1
• SUSE Linux Enterprise Server 12 LTSS 12 (ppc64le s390x x86_64)
  • uuidd-debuginfo-2.25-24.10.1
  • python-libmount-2.25-24.10.3
  • libblkid1-debuginfo-2.25-24.10.1
  • libsmartcols1-debuginfo-2.25-24.10.1
  • python-libmount-debuginfo-2.25-24.10.3
  • libblkid1-2.25-24.10.1
  • libmount1-debuginfo-2.25-24.10.1
  • util-linux-debugsource-2.25-24.10.1
  • libsmartcols1-2.25-24.10.1
  • util-linux-debuginfo-2.25-24.10.1
  • util-linux-2.25-24.10.1
  • util-linux-systemd-2.25-24.10.1
  • libuuid1-debuginfo-2.25-24.10.1
  • python-libmount-debugsource-2.25-24.10.3
  • uuidd-2.25-24.10.1
  • libuuid1-2.25-24.10.1
  • libmount1-2.25-24.10.1
  • util-linux-systemd-debugsource-2.25-24.10.1
  • util-linux-systemd-debuginfo-2.25-24.10.1
• SUSE Linux Enterprise Server 12 LTSS 12 (noarch)
  • util-linux-lang-2.25-24.10.1
• SUSE Linux Enterprise Server 12 LTSS 12 (s390x x86_64)
  • libblkid1-debuginfo-32bit-2.25-24.10.1
  • libblkid1-32bit-2.25-24.10.1
  • libmount1-debuginfo-32bit-2.25-24.10.1
  • libmount1-32bit-2.25-24.10.1
  • libuuid1-debuginfo-32bit-2.25-24.10.1
  • libuuid1-32bit-2.25-24.10.1

References:

• https://www.suse.com/security/cve/CVE-2016-5011.html
• https://www.suse.com/security/cve/CVE-2017-2616.html
• https://bugzilla.suse.com/show_bug.cgi?id=1008965
• https://bugzilla.suse.com/show_bug.cgi?id=1012504
• https://bugzilla.suse.com/show_bug.cgi?id=1012632
• https://bugzilla.suse.com/show_bug.cgi?id=1019332
• https://bugzilla.suse.com/show_bug.cgi?id=1020077
• https://bugzilla.suse.com/show_bug.cgi?id=1023041
• https://bugzilla.suse.com/show_bug.cgi?id=947494
• https://bugzilla.suse.com/show_bug.cgi?id=966891
• https://bugzilla.suse.com/show_bug.cgi?id=978993
• https://bugzilla.suse.com/show_bug.cgi?id=982331
• https://bugzilla.suse.com/show_bug.cgi?id=983164
• https://bugzilla.suse.com/show_bug.cgi?id=987176
• https://bugzilla.suse.com/show_bug.cgi?id=988361