{"affected":[{"ecosystem_specific":{"binaries":[{"libprocps3":"3.3.9-11.14.1","procps":"3.3.9-11.14.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Desktop 12 SP3","name":"procps","purl":"pkg:rpm/suse/procps&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.3.9-11.14.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"procps-devel":"3.3.9-11.14.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Software Development Kit 12 SP3","name":"procps","purl":"pkg:rpm/suse/procps&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.3.9-11.14.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"libprocps3":"3.3.9-11.14.1","procps":"3.3.9-11.14.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 12 SP3","name":"procps","purl":"pkg:rpm/suse/procps&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.3.9-11.14.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"libprocps3":"3.3.9-11.14.1","procps":"3.3.9-11.14.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP Applications 12 SP3","name":"procps","purl":"pkg:rpm/suse/procps&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.3.9-11.14.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for procps fixes the following security issues:\n\n- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top\n  with HOME unset in an attacker-controlled directory, the attacker could have\n  achieved privilege escalation by exploiting one of several vulnerabilities in\n  the config_file() function (bsc#1092100).\n- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.\n  Inbuilt protection in ps maped a guard page at the end of the overflowed\n  buffer, ensuring that the impact of this flaw is limited to a crash (temporary\n  denial of service) (bsc#1092100).\n- CVE-2018-1124: Prevent multiple integer overflows leading to a heap\n  corruption in file2strvec function. This allowed a privilege escalation for a\n  local attacker who can create entries in procfs by starting processes, which\n  could result in crashes or arbitrary code execution in proc utilities run by\n  other users (bsc#1092100).\n- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was\n  mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).\n- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent\n  truncation/integer overflow issues (bsc#1092100).\n","id":"SUSE-SU-2018:2451-2","modified":"2018-11-26T16:46:46Z","published":"2018-11-26T16:46:46Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2018/suse-su-20182451-2/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1092100"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-1122"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-1123"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-1124"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-1125"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-1126"}],"related":["CVE-2018-1122","CVE-2018-1123","CVE-2018-1124","CVE-2018-1125","CVE-2018-1126"],"summary":"Security update for procps","upstream":["CVE-2018-1122","CVE-2018-1123","CVE-2018-1124","CVE-2018-1125","CVE-2018-1126"]}