Using zypper to install patches via CVE#

  • 7017287
  • 23-Feb-2016
  • 23-Feb-2016

Environment

SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)

Situation

Customer wants to install patch to address a specific CVE.

Resolution

Use the following commands:
List the patch for a specific CVE#:
# zypper lp --cve=CVE#
Get information about the patch:
# zypper info -t patch PatchName
Install the patch using the CVE#:
# zypper patch --cve=CVE#

Example using CVE-2015-7547:
# rpm -qa | grep glibc
glibc-locale-32bit-2.11.3-17.54.1
glibc-2.11.3-17.54.1
glibc-32bit-2.11.3-17.54.1
glibc-locale-2.11.3-17.54.1
glibc-i18ndata-2.11.3-17.54.1

# zypper lp --cve=cve-2015-7547
Refreshing service 'nu_novell_com'.
Loading repository data...
Reading installed packages...

Issue | No.           | Patch                 | Category | Status
------+---------------+-----------------------+----------+-------
cve   | CVE-2015-7547 | slessp3-glibc-12406-1 | security | needed


# zypper info -t patch slessp3-glibc-12406
Refreshing service 'nu_novell_com'.
Loading repository data...
Reading installed packages...


Information for patch slessp3-glibc-12406:

Name: slessp3-glibc-12406
Version: 1
Arch: noarch
Vendor: maint-coord@suse.de
Status: Needed
Category: security
Created On: Tue 16 Feb 2016 08:39:37 AM MST
Reboot Required: No
Package Manager Restart Required: No
Interactive: No
Summary: Security update for glibc
Description:

This update for glibc fixes the following issues:

- CVE-2015-7547: A stack-based buffer overflow in getaddrinfo allowed remote attackers to cause a crash or execute arbitrary code via crafted and timed DNS responses (bsc#961721)
- CVE-2015-8777: Insufficient checking of LD_POINTER_GUARD environment variable allowed local attackers to bypass the pointer guarding protection of the dynamic loader on set-user-ID and set-group-ID programs (bsc#950944)
- CVE-2015-8776: Out-of-range time values passed to the strftime function may cause it to crash, leading to a denial of service, or potentially disclosure information (bsc#962736)
- CVE-2015-8778: Integer overflow in hcreate and hcreate_r could have caused an out-of-bound memory access. leading to application crashes or, potentially, arbitrary code execution (bsc#962737)
- CVE-2014-9761: A stack overflow (unbounded alloca) could have caused applications which process long strings with the nan function to crash or, potentially, execute arbitrary code. (bsc#962738)
- CVE-2015-8779: A stack overflow (unbounded alloca) in the catopen function could have caused applications which pass long strings to the catopen function to crash or, potentially execute arbitrary code. (bsc#962739)

The following non-security bugs were fixed:

- bsc#930721: Accept leading and trailing spaces in getdate input string
- bsc#942317: Recognize power8 platform
- bsc#950944: Always enable pointer guard
- bsc#956988: Fix deadlock in __dl_iterate_phdr

Provides:
patch:slessp3-glibc-12406 == 1

Conflicts:
srcpackage:glibc < 2.11.3-17.95.2
glibc.x86_64 < 2.11.3-17.95.2
glibc-32bit.x86_64 < 2.11.3-17.95.2
glibc-devel.x86_64 < 2.11.3-17.95.2
glibc-devel-32bit.x86_64 < 2.11.3-17.95.2
glibc-html.x86_64 < 2.11.3-17.95.2
glibc-i18ndata.x86_64 < 2.11.3-17.95.2
glibc-info.x86_64 < 2.11.3-17.95.2
glibc-locale.x86_64 < 2.11.3-17.95.2
glibc-locale-32bit.x86_64 < 2.11.3-17.95.2
glibc-profile.x86_64 < 2.11.3-17.95.2
glibc-profile-32bit.x86_64 < 2.11.3-17.95.2
nscd.x86_64 < 2.11.3-17.95.2
#

# zypper patch --cve=cve-2015-7547
Refreshing service 'nu_novell_com'.
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following NEW patch is going to be installed:
  slessp3-glibc-12406

The following packages are going to be upgraded:
  glibc glibc-32bit glibc-i18ndata glibc-locale glibc-locale-32bit nscd

6 packages to upgrade.
Overall download size: 18.9 MiB. After the operation, additional 59.0 KiB will be used.
Continue? [y/n/?] (y): y
Retrieving package glibc-2.11.3-17.95.2.x86_64 (1/6), 1.9 MiB (5.3 MiB unpacked)
Retrieving delta: ./rpm/x86_64/glibc-2.11.3-17.54.1_17.95.2.x86_64.drpm, 366.0 KiB
Retrieving: glibc-2.11.3-17.54.1_17.95.2.x86_64.drpm [done]
Applying delta: ./glibc-2.11.3-17.54.1_17.95.2.x86_64.drpm [done]
Retrieving package glibc-32bit-2.11.3-17.95.2.x86_64 (2/6), 1.1 MiB (2.9 MiB unpacked)
Retrieving delta: ./rpm/x86_64/glibc-32bit-2.11.3-17.54.1_17.95.2.x86_64.drpm, 272.0 KiB
Retrieving: glibc-32bit-2.11.3-17.54.1_17.95.2.x86_64.drpm [done]
Applying delta: ./glibc-32bit-2.11.3-17.54.1_17.95.2.x86_64.drpm [done]
Retrieving package glibc-i18ndata-2.11.3-17.95.2.x86_64 (3/6), 3.1 MiB (10.5 MiB unpacked)
Retrieving delta: ./rpm/x86_64/glibc-i18ndata-2.11.3-17.54.1_17.95.2.x86_64.drpm, 86.0 KiB
Retrieving: glibc-i18ndata-2.11.3-17.54.1_17.95.2.x86_64.drpm [done]
Applying delta: ./glibc-i18ndata-2.11.3-17.54.1_17.95.2.x86_64.drpm [done]
Retrieving package nscd-2.11.3-17.95.2.x86_64 (4/6), 98.0 KiB (138.0 KiB unpacked)
Retrieving: nscd-2.11.3-17.95.2.x86_64.rpm [done]
Retrieving package glibc-locale-2.11.3-17.95.2.x86_64 (5/6), 11.4 MiB (106.1 MiB unpacked)
Retrieving delta: ./rpm/x86_64/glibc-locale-2.11.3-17.54.1_17.95.2.x86_64.drpm, 710.0 KiB
Retrieving: glibc-locale-2.11.3-17.54.1_17.95.2.x86_64.drpm [done]
Applying delta: ./glibc-locale-2.11.3-17.54.1_17.95.2.x86_64.drpm [done]
Retrieving package glibc-locale-32bit-2.11.3-17.95.2.x86_64 (6/6), 1.4 MiB (5.9 MiB unpacked)
Retrieving delta: ./rpm/x86_64/glibc-locale-32bit-2.11.3-17.54.1_17.95.2.x86_64.drpm, 108.0 KiB
Retrieving: glibc-locale-32bit-2.11.3-17.54.1_17.95.2.x86_64.drpm [done]
Applying delta: ./glibc-locale-32bit-2.11.3-17.54.1_17.95.2.x86_64.drpm [done]
Installing: glibc-2.11.3-17.95.2 [done]
Installing: glibc-32bit-2.11.3-17.95.2 [done]
Installing: glibc-i18ndata-2.11.3-17.95.2 [done]
Installing: nscd-2.11.3-17.95.2 [done]
Installing: glibc-locale-2.11.3-17.95.2 [done]
Installing: glibc-locale-32bit-2.11.3-17.95.2 [done]
There are some running programs that use files deleted by recent upgrade. You may wish to restart some of them. Run 'zypper ps' to list these programs.
#


# rpm -qa | grep glibc
glibc-2.11.3-17.95.2
glibc-32bit-2.11.3-17.95.2
glibc-locale-32bit-2.11.3-17.95.2
glibc-i18ndata-2.11.3-17.95.2
glibc-locale-2.11.3-17.95.2
#


Feedback service temporarily unavailable. For content questions or problems, please contact Support.