[security-announce] SUSE-SU-2016:2074-1: important: Security update for the Linux Kernel

[news 28]

SUSE Security Update: Security update for the Linux Kernel

______________________________________________________________________________

 

Announcement ID: SUSE-SU-2016:2074-1

Rating: important

References: #816446 #861093 #928130 #935757 #939826 #942367

#945825 #946117 #946309 #948562 #949744 #949936

#951440 #952384 #953527 #954404 #955354 #955654

#956708 #956709 #958463 #958886 #958951 #959190

#959399 #961500 #961509 #961512 #963765 #963767

#964201 #966437 #966460 #966662 #966693 #967972

#967973 #967974 #967975 #968010 #968011 #968012

#968013 #968670 #970504 #970892 #970909 #970911

#970948 #970956 #970958 #970970 #971124 #971125

#971126 #971360 #972510 #973570 #975945 #977847

#978822

Cross-References: CVE-2013-2015 CVE-2013-7446 CVE-2015-0272

CVE-2015-3339 CVE-2015-5307 CVE-2015-6252

CVE-2015-6937 CVE-2015-7509 CVE-2015-7515

CVE-2015-7550 CVE-2015-7566 CVE-2015-7799

CVE-2015-7872 CVE-2015-7990 CVE-2015-8104

CVE-2015-8215 CVE-2015-8539 CVE-2015-8543

CVE-2015-8569 CVE-2015-8575 CVE-2015-8767

CVE-2015-8785 CVE-2015-8812 CVE-2015-8816

CVE-2016-0723 CVE-2016-2069 CVE-2016-2143

CVE-2016-2184 CVE-2016-2185 CVE-2016-2186

CVE-2016-2188 CVE-2016-2384 CVE-2016-2543

CVE-2016-2544 CVE-2016-2545 CVE-2016-2546

CVE-2016-2547 CVE-2016-2548 CVE-2016-2549

CVE-2016-2782 CVE-2016-2847 CVE-2016-3134

CVE-2016-3137 CVE-2016-3138 CVE-2016-3139

CVE-2016-3140 CVE-2016-3156 CVE-2016-4486

 

Affected Products:

SUSE Linux Enterprise Server 11-SP2-LTSS

SUSE Linux Enterprise Debuginfo 11-SP2

______________________________________________________________________________

 

An update that solves 48 vulnerabilities and has 13 fixes

is now available.

 

Description:

 

The SUSE Linux Enterprise 11 SP2 kernel was updated to receive various

security and bug fixes.

 

The following security bugs were fixed:

- CVE-2016-4486: Fixed 4 byte information leak in net/core/rtnetlink.c

(bsc#978822).

- CVE-2016-3134: The netfilter subsystem in the Linux kernel did not

validate certain offset fields, which allowed local users to gain

privileges or cause a denial of service (heap memory corruption) via an

IPT_SO_SET_REPLACE setsockopt call (bnc#971126).

- CVE-2016-2847: fs/pipe.c in the Linux kernel did not limit the amount of

unread data in pipes, which allowed local users to cause a denial of

service (memory consumption) by creating many pipes with non-default

sizes (bnc#970948).

- CVE-2016-2188: The iowarrior_probe function in

drivers/usb/misc/iowarrior.c in the Linux kernel allowed physically

proximate attackers to cause a denial of service (NULL pointer

dereference and system crash) via a crafted endpoints value in a USB

device descriptor (bnc#970956).

- CVE-2016-3138: The acm_probe function in drivers/usb/class/cdc-acm.c in

the Linux kernel allowed physically proximate attackers to cause a

denial of service (NULL pointer dereference and system crash) via a USB

device without both a control and a data endpoint descriptor

(bnc#970911).

- CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the Linux kernel

allowed physically proximate attackers to cause a denial of service

(NULL pointer dereference and system crash) via a USB device without

both an interrupt-in and an interrupt-out endpoint descriptor, related

to the cypress_generic_port_probe and cypress_open functions

(bnc#970970).

- CVE-2016-3140: The digi_port_init function in

drivers/usb/serial/digi_acceleport.c in the Linux kernel allowed

physically proximate attackers to cause a denial of service (NULL

pointer dereference and system crash) via a crafted endpoints value in a

USB device descriptor (bnc#970892).

- CVE-2016-2186: The powermate_probe function in

drivers/input/misc/powermate.c in the Linux kernel allowed physically

proximate attackers to cause a denial of service (NULL pointer

dereference and system crash) via a crafted endpoints value in a USB

device descriptor (bnc#970958).

- CVE-2016-2185: The ati_remote2_probe function in

drivers/input/misc/ati_remote2.c in the Linux kernel allowed physically

proximate attackers to cause a denial of service (NULL pointer

dereference and system crash) via a crafted endpoints value in a USB

device descriptor (bnc#971124).

- CVE-2016-3156: The IPv4 implementation in the Linux kernel mishandles

destruction of device objects, which allowed guest OS users to cause a

denial of service (host OS networking outage) by arranging for a large

number of IP addresses (bnc#971360).

- CVE-2016-2184: The create_fixed_stream_quirk function in

sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel

allowed physically proximate attackers to cause a denial of service

(NULL pointer dereference or double free, and system crash) via a

crafted endpoints value in a USB device descriptor (bnc#971125).

- CVE-2016-3139: The wacom_probe function in

drivers/input/tablet/wacom_sys.c in the Linux kernel allowed physically

proximate attackers to cause a denial of service (NULL pointer

dereference and system crash) via a crafted endpoints value in a USB

device descriptor (bnc#970909).

- CVE-2016-2143: The fork implementation in the Linux kernel on s390

platforms mishandled the case of four page-table levels, which allowed

local users to cause a denial of service (system crash) or possibly have

unspecified other impact via a crafted application, related to

arch/s390/include/asm/mmu_context.h and arch/s390/include/asm/pgalloc.h

(bnc#970504).

- CVE-2016-2782: The treo_attach function in drivers/usb/serial/visor.c in

the Linux kernel allowed physically proximate attackers to cause a

denial of service (NULL pointer dereference and system crash) or

possibly have unspecified other impact by inserting a USB device that

lacks a (1) bulk-in or (2) interrupt-in endpoint (bnc#968670).

- CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in

the Linux kernel did not properly maintain a hub-interface data

structure, which allowed physically proximate attackers to cause a

denial of service (invalid memory access and system crash) or possibly

have unspecified other impact by unplugging a USB hub device

(bnc#968010).

- CVE-2015-7566: The clie_5_attach function in drivers/usb/serial/visor.c

in the Linux kernel allowed physically proximate attackers to cause a

denial of service (NULL pointer dereference and system crash) or

possibly have unspecified other impact by inserting a USB device that

lacks a bulk-out endpoint (bnc#961512).

- CVE-2016-2549: sound/core/hrtimer.c in the Linux kernel did not prevent

recursive callback access, which allowed local users to cause a denial

of service (deadlock) via a crafted ioctl call (bnc#968013).

- CVE-2016-2547: sound/core/timer.c in the Linux kernel employed a locking

approach that did not consider slave timer instances, which allowed

local users to cause a denial of service (race condition,

use-after-free, and system crash) via a crafted ioctl call (bnc#968011).

- CVE-2016-2548: sound/core/timer.c in the Linux kernel retained certain

linked lists after a close or stop action, which allowed local users to

cause a denial of service (system crash) via a crafted ioctl call,

related to the (1) snd_timer_close and (2) _snd_timer_stop functions

(bnc#968012).

- CVE-2016-2546: sound/core/timer.c in the Linux kernel used an incorrect

type of mutex, which allowed local users to cause a denial of service

(race condition, use-after-free, and system crash) via a crafted ioctl

call (bnc#967975).

- CVE-2016-2545: The snd_timer_interrupt function in sound/core/timer.c in

the Linux kernel did not properly maintain a certain linked list, which

allowed local users to cause a denial of service (race condition and

system crash) via a crafted ioctl call (bnc#967974).

- CVE-2016-2544: Race condition in the queue_delete function in

sound/core/seq/seq_queue.c in the Linux kernel allowed local users to

cause a denial of service (use-after-free and system crash) by making an

ioctl call at a certain time (bnc#967973).

- CVE-2016-2543: The snd_seq_ioctl_remove_events function in

sound/core/seq/seq_clientmgr.c in the Linux kernel did not verify FIFO

assignment before proceeding with FIFO clearing, which allowed local

users to cause a denial of service (NULL pointer dereference and OOPS)

via a crafted ioctl call (bnc#967972).

- CVE-2016-2384: Double free vulnerability in the snd_usbmidi_create

function in sound/usb/midi.c in the Linux kernel allowed physically

proximate attackers to cause a denial of service (panic) or possibly

have unspecified other impact via vectors involving an invalid USB

descriptor (bnc#966693).

- CVE-2015-8812: drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel

did not properly identify error conditions, which allowed remote

attackers to execute arbitrary code or cause a denial of service

(use-after-free) via crafted packets (bnc#966437).

- CVE-2015-8785: The fuse_fill_write_pages function in fs/fuse/file.c in

the Linux kernel allowed local users to cause a denial of service

(infinite loop) via a writev system call that triggers a zero length for

the first segment of an iov (bnc#963765).

- CVE-2016-2069: Race condition in arch/x86/mm/tlb.c in the Linux kernel

.4.1 allowed local users to gain privileges by triggering access to a

paging structure by a different CPU (bnc#963767).

- CVE-2016-0723: Race condition in the tty_ioctl function in

drivers/tty/tty_io.c in the Linux kernel allowed local users to obtain

sensitive information from kernel memory or cause a denial of service

(use-after-free and system crash) by making a TIOCGETD ioctl call during

processing of a TIOCSETD ioctl call (bnc#961500).

- CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the

Linux kernel allowed local users to bypass intended AF_UNIX socket

permissions or cause a denial of service (panic) via crafted epoll_ctl

calls (bnc#955654).

- CVE-2015-8767: net/sctp/sm_sideeffect.c in the Linux kernel did not

properly manage the relationship between a lock and a socket, which

allowed local users to cause a denial of service (deadlock) via a

crafted sctp_accept call (bnc#961509).

- CVE-2015-7515: The aiptek_probe function in

drivers/input/tablet/aiptek.c in the Linux kernel allowed physically

proximate attackers to cause a denial of service (NULL pointer

dereference and system crash) via a crafted USB device that lacks

endpoints (bnc#956708).

- CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel

did not validate attempted changes to the MTU value, which allowed

context-dependent attackers to cause a denial of service (packet loss)

via a value that is (1) smaller than the minimum compliant value or (2)

larger than the MTU of an interface, as demonstrated by a Router

Advertisement (RA) message that is not validated by a daemon, a

different vulnerability than CVE-2015-0272 (bnc#955354).

- CVE-2015-7550: The keyctl_read_key function in security/keys/keyctl.c in

the Linux kernel did not properly use a semaphore, which allowed local

users to cause a denial of service (NULL pointer dereference and system

crash) or possibly have unspecified other impact via a crafted

application that leverages a race condition between keyctl_revoke and

keyctl_read calls (bnc#958951).

- CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect functions in

drivers/net/ppp/pptp.c in the Linux kernel did not verify an address

length, which allowed local users to obtain sensitive information from

kernel memory and bypass the KASLR protection mechanism via a crafted

application (bnc#959190).

- CVE-2015-8575: The sco_sock_bind function in net/bluetooth/sco.c in the

Linux kernel did not verify an address length, which allowed local users

to obtain sensitive information from kernel memory and bypass the KASLR

protection mechanism via a crafted application (bnc#959399).

- CVE-2015-8543: The networking implementation in the Linux kernel did not

validate protocol identifiers for certain protocol families, which

allowed local users to cause a denial of service (NULL function pointer

dereference and system crash) or possibly gain privileges by leveraging

CLONE_NEWUSER support to execute a crafted SOCK_RAW application

(bnc#958886).

- CVE-2015-8539: The KEYS subsystem in the Linux kernel allowed local

users to gain privileges or cause a denial of service (BUG) via crafted

keyctl commands that negatively instantiate a key, related to

security/keys/encrypted-keys/encrypted.c, security/keys/trusted.c, and

security/keys/user_defined.c (bnc#958463).

- CVE-2015-7509: fs/ext4/namei.c in the Linux kernel allowed physically

proximate attackers to cause a denial of service (system crash) via a

crafted no-journal filesystem, a related issue to CVE-2013-2015

(bnc#956709).

- CVE-2015-7799: The slhc_init function in drivers/net/slip/slhc.c in the

Linux kernel did not ensure that certain slot numbers are valid, which

allowed local users to cause a denial of service (NULL pointer

dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call

(bnc#949936).

- CVE-2015-8104: The KVM subsystem in the Linux kernel allowed guest OS

users to cause a denial of service (host OS panic or hang) by triggering

many #DB (aka Debug) exceptions, related to svm.c (bnc#954404).

- CVE-2015-5307: The KVM subsystem in the Linux kernel allowed guest OS

users to cause a denial of service (host OS panic or hang) by triggering

many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c

(bnc#953527).

- CVE-2015-7990: Race condition in the rds_sendmsg function in

net/rds/sendmsg.c in the Linux kernel allowed local users to cause a

denial of service (NULL pointer dereference and system crash) or

possibly have unspecified other impact by using a socket that was not

properly bound (bnc#952384).

- CVE-2015-7872: The key_gc_unused_keys function in security/keys/gc.c in

the Linux kernel allowed local users to cause a denial of service (OOPS)

via crafted keyctl commands (bnc#951440).

- CVE-2015-6937: The __rds_conn_create function in net/rds/connection.c in

the Linux kernel allowed local users to cause a denial of service (NULL

pointer dereference and system crash) or possibly have unspecified other

impact by using a socket that was not properly bound (bnc#945825).

- CVE-2015-6252: The vhost_dev_ioctl function in drivers/vhost/vhost.c in

the Linux kernel allowed local users to cause a denial of service

(memory consumption) via a VHOST_SET_LOG_FD ioctl call that triggers

permanent file-descriptor allocation (bnc#942367).

- CVE-2015-3339: Race condition in the prepare_binprm function in

fs/exec.c in the Linux kernel allowed local users to gain privileges by

executing a setuid program at a time instant when a chown to root is in

progress, and the ownership is changed but the setuid bit is not yet

stripped (bnc#928130).

 

The following non-security bugs were fixed:

- Fix handling of re-write-before-commit for mmapped NFS pages

(bsc#964201).

- Fix lpfc_send_rscn_event allocation size claims bnc#935757

- Fix ntpd clock synchronization in Xen PV domains (bnc#816446).

- Fix vmalloc_fault oops during lazy MMU updates (bsc#948562).

- Make sure XPRT_CONNECTING gets cleared when needed (bsc#946309).

- SCSI: bfa: Fix to handle firmware tskim abort request response

(bsc#972510).

- USB: usbip: fix potential out-of-bounds write (bnc#975945).

- af_unix: Guard against other == sk in unix_dgram_sendmsg (bsc#973570).

- dm-snap: avoid deadock on s->lock when a read is split (bsc#939826).

- mm/hugetlb: check for pte NULL pointer in __page_check_address()

(bsc#977847).

- nf_conntrack: fix bsc#758540 kabi fix (bsc#946117).

- privcmd: allow preempting long running user-mode originating hypercalls

(bnc#861093).

- s390/cio: collect format 1 channel-path description data (bsc#966460,

bsc#966662).

- s390/cio: ensure consistent measurement state (bsc#966460, bsc#966662).

- s390/cio: fix measurement characteristics memleak (bsc#966460,

bsc#966662).

- s390/cio: update measurement characteristics (bsc#966460, bsc#966662).

- xfs: Fix lost direct IO write in the last block (bsc#949744).

 

 

Patch Instructions:

 

To install this SUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- SUSE Linux Enterprise Server 11-SP2-LTSS:

 

zypper in -t patch slessp2-kernel-source-12693=1

 

- SUSE Linux Enterprise Debuginfo 11-SP2:

 

zypper in -t patch dbgsp2-kernel-source-12693=1

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64):

 

kernel-default-3.0.101-0.7.40.1

kernel-default-base-3.0.101-0.7.40.1

kernel-default-devel-3.0.101-0.7.40.1

kernel-source-3.0.101-0.7.40.1

kernel-syms-3.0.101-0.7.40.1

kernel-trace-3.0.101-0.7.40.1

kernel-trace-base-3.0.101-0.7.40.1

kernel-trace-devel-3.0.101-0.7.40.1

 

- SUSE Linux Enterprise Server 11-SP2-LTSS (i586 x86_64):

 

kernel-ec2-3.0.101-0.7.40.1

kernel-ec2-base-3.0.101-0.7.40.1

kernel-ec2-devel-3.0.101-0.7.40.1

kernel-xen-3.0.101-0.7.40.1

kernel-xen-base-3.0.101-0.7.40.1

kernel-xen-devel-3.0.101-0.7.40.1

 

- SUSE Linux Enterprise Server 11-SP2-LTSS (s390x):

 

kernel-default-man-3.0.101-0.7.40.1

 

- SUSE Linux Enterprise Server 11-SP2-LTSS (i586):

 

kernel-pae-3.0.101-0.7.40.1

kernel-pae-base-3.0.101-0.7.40.1

kernel-pae-devel-3.0.101-0.7.40.1

 

- SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64):

 

kernel-default-debuginfo-3.0.101-0.7.40.1

kernel-default-debugsource-3.0.101-0.7.40.1

kernel-default-devel-debuginfo-3.0.101-0.7.40.1

kernel-trace-debuginfo-3.0.101-0.7.40.1

kernel-trace-debugsource-3.0.101-0.7.40.1

kernel-trace-devel-debuginfo-3.0.101-0.7.40.1

 

- SUSE Linux Enterprise Debuginfo 11-SP2 (i586 x86_64):

 

kernel-ec2-debuginfo-3.0.101-0.7.40.1

kernel-ec2-debugsource-3.0.101-0.7.40.1

kernel-xen-debuginfo-3.0.101-0.7.40.1

kernel-xen-debugsource-3.0.101-0.7.40.1

kernel-xen-devel-debuginfo-3.0.101-0.7.40.1

 

- SUSE Linux Enterprise Debuginfo 11-SP2 (i586):

 

kernel-pae-debuginfo-3.0.101-0.7.40.1

kernel-pae-debugsource-3.0.101-0.7.40.1

kernel-pae-devel-debuginfo-3.0.101-0.7.40.1

 

 

References:

 

https://www.suse.com/security/cve/CVE-2013-2015.html

https://www.suse.com/security/cve/CVE-2013-7446.html

https://www.suse.com/security/cve/CVE-2015-0272.html

https://www.suse.com/security/cve/CVE-2015-3339.html

https://www.suse.com/security/cve/CVE-2015-5307.html

https://www.suse.com/security/cve/CVE-2015-6252.html

https://www.suse.com/security/cve/CVE-2015-6937.html

https://www.suse.com/security/cve/CVE-2015-7509.html

https://www.suse.com/security/cve/CVE-2015-7515.html

https://www.suse.com/security/cve/CVE-2015-7550.html

https://www.suse.com/security/cve/CVE-2015-7566.html

https://www.suse.com/security/cve/CVE-2015-7799.html

https://www.suse.com/security/cve/CVE-2015-7872.html

https://www.suse.com/security/cve/CVE-2015-7990.html

https://www.suse.com/security/cve/CVE-2015-8104.html

https://www.suse.com/security/cve/CVE-2015-8215.html

https://www.suse.com/security/cve/CVE-2015-8539.html

https://www.suse.com/security/cve/CVE-2015-8543.html

https://www.suse.com/security/cve/CVE-2015-8569.html

https://www.suse.com/security/cve/CVE-2015-8575.html

https://www.suse.com/security/cve/CVE-2015-8767.html

https://www.suse.com/security/cve/CVE-2015-8785.html

https://www.suse.com/security/cve/CVE-2015-8812.html

https://www.suse.com/security/cve/CVE-2015-8816.html

https://www.suse.com/security/cve/CVE-2016-0723.html

https://www.suse.com/security/cve/CVE-2016-2069.html

https://www.suse.com/security/cve/CVE-2016-2143.html

https://www.suse.com/security/cve/CVE-2016-2184.html

https://www.suse.com/security/cve/CVE-2016-2185.html

https://www.suse.com/security/cve/CVE-2016-2186.html

https://www.suse.com/security/cve/CVE-2016-2188.html

https://www.suse.com/security/cve/CVE-2016-2384.html

https://www.suse.com/security/cve/CVE-2016-2543.html

https://www.suse.com/security/cve/CVE-2016-2544.html

https://www.suse.com/security/cve/CVE-2016-2545.html

https://www.suse.com/security/cve/CVE-2016-2546.html

https://www.suse.com/security/cve/CVE-2016-2547.html

https://www.suse.com/security/cve/CVE-2016-2548.html

https://www.suse.com/security/cve/CVE-2016-2549.html

https://www.suse.com/security/cve/CVE-2016-2782.html

https://www.suse.com/security/cve/CVE-2016-2847.html

https://www.suse.com/security/cve/CVE-2016-3134.html

https://www.suse.com/security/cve/CVE-2016-3137.html

https://www.suse.com/security/cve/CVE-2016-3138.html

https://www.suse.com/security/cve/CVE-2016-3139.html

https://www.suse.com/security/cve/CVE-2016-3140.html

https://www.suse.com/security/cve/CVE-2016-3156.html

https://www.suse.com/security/cve/CVE-2016-4486.html

https://bugzilla.suse.com/816446

https://bugzilla.suse.com/861093

https://bugzilla.suse.com/928130

https://bugzilla.suse.com/935757

https://bugzilla.suse.com/939826

https://bugzilla.suse.com/942367

https://bugzilla.suse.com/945825

https://bugzilla.suse.com/946117

https://bugzilla.suse.com/946309

https://bugzilla.suse.com/948562

https://bugzilla.suse.com/949744

https://bugzilla.suse.com/949936

https://bugzilla.suse.com/951440

https://bugzilla.suse.com/952384

https://bugzilla.suse.com/953527

https://bugzilla.suse.com/954404

https://bugzilla.suse.com/955354

https://bugzilla.suse.com/955654

https://bugzilla.suse.com/956708

https://bugzilla.suse.com/956709

https://bugzilla.suse.com/958463

https://bugzilla.suse.com/958886

https://bugzilla.suse.com/958951

https://bugzilla.suse.com/959190

https://bugzilla.suse.com/959399

https://bugzilla.suse.com/961500

https://bugzilla.suse.com/961509

https://bugzilla.suse.com/961512

https://bugzilla.suse.com/963765

https://bugzilla.suse.com/963767

https://bugzilla.suse.com/964201

https://bugzilla.suse.com/966437

https://bugzilla.suse.com/966460

https://bugzilla.suse.com/966662

https://bugzilla.suse.com/966693

https://bugzilla.suse.com/967972

https://bugzilla.suse.com/967973

https://bugzilla.suse.com/967974

https://bugzilla.suse.com/967975

https://bugzilla.suse.com/968010

https://bugzilla.suse.com/968011

https://bugzilla.suse.com/968012

https://bugzilla.suse.com/968013

https://bugzilla.suse.com/968670

https://bugzilla.suse.com/970504

https://bugzilla.suse.com/970892

https://bugzilla.suse.com/970909

https://bugzilla.suse.com/970911

https://bugzilla.suse.com/970948

https://bugzilla.suse.com/970956

https://bugzilla.suse.com/970958

https://bugzilla.suse.com/970970

https://bugzilla.suse.com/971124

https://bugzilla.suse.com/971125

https://bugzilla.suse.com/971126

https://bugzilla.suse.com/971360

https://bugzilla.suse.com/972510

https://bugzilla.suse.com/973570

https://bugzilla.suse.com/975945

https://bugzilla.suse.com/977847

https://bugzilla.suse.com/978822

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org