Security update for permissions SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0302-1 Final 1 1 2020-03-04T19:15:35Z current 2020-03-04T19:15:35Z 2020-03-04T19:15:35Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for permissions This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). This update was imported from the SUSE:SLE-15-SP1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-302 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HFSFYZA4G7R3442IVOYMGCDA7OPFIWTA/ E-Mail link for openSUSE-SU-2020:0302-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1148788 SUSE Bug 1148788 https://bugzilla.suse.com/1160594 SUSE Bug 1160594 https://bugzilla.suse.com/1160764 SUSE Bug 1160764 https://bugzilla.suse.com/1161779 SUSE Bug 1161779 https://bugzilla.suse.com/1163922 SUSE Bug 1163922 https://www.suse.com/security/cve/CVE-2019-3687/ SUSE CVE CVE-2019-3687 page https://www.suse.com/security/cve/CVE-2020-8013/ SUSE CVE CVE-2020-8013 page openSUSE Leap 15.1 permissions-20181116-lp151.4.12.1 permissions-zypp-plugin-20181116-lp151.4.12.1 permissions-20181116-lp151.4.12.1 as a component of openSUSE Leap 15.1 permissions-zypp-plugin-20181116-lp151.4.12.1 as a component of openSUSE Leap 15.1 The permission package in SUSE Linux Enterprise Server allowed all local users to run dumpcap in the "easy" permission profile and sniff network traffic. This issue affects: SUSE Linux Enterprise Server permissions versions starting from 85c83fef7e017f8ab7f8602d3163786d57344439 to 081d081dcfaf61710bda34bc21c80c66276119aa. CVE-2019-3687 openSUSE Leap 15.1:permissions-20181116-lp151.4.12.1 openSUSE Leap 15.1:permissions-zypp-plugin-20181116-lp151.4.12.1 moderate 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HFSFYZA4G7R3442IVOYMGCDA7OPFIWTA/ https://www.suse.com/security/cve/CVE-2019-3687.html CVE-2019-3687 https://bugzilla.suse.com/1148788 SUSE Bug 1148788 https://bugzilla.suse.com/1180102 SUSE Bug 1180102 A UNIX Symbolic Link (Symlink) Following vulnerability in chkstat of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15, SUSE Linux Enterprise Server 11 set permissions intended for specific binaries on other binaries because it erroneously followed symlinks. The symlinks can't be controlled by attackers on default systems, so exploitation is difficult. This issue affects: SUSE Linux Enterprise Server 12 permissions versions prior to 2015.09.28.1626-17.27.1. SUSE Linux Enterprise Server 15 permissions versions prior to 20181116-9.23.1. SUSE Linux Enterprise Server 11 permissions versions prior to 2013.1.7-0.6.12.1. CVE-2020-8013 openSUSE Leap 15.1:permissions-20181116-lp151.4.12.1 openSUSE Leap 15.1:permissions-zypp-plugin-20181116-lp151.4.12.1 moderate 1.9 AV:L/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HFSFYZA4G7R3442IVOYMGCDA7OPFIWTA/ https://www.suse.com/security/cve/CVE-2020-8013.html CVE-2020-8013 https://bugzilla.suse.com/1163922 SUSE Bug 1163922