Security update for Linux Kernel

SUSE Security Update: Security update for Linux Kernel

---

Announcement ID:	SUSE-SU-2015:0812-1
Rating:	important
References:	#677286 #679812 #681175 #681999 #683282 #685402 #687812 #730118 #730200 #738400 #758813 #760902 #769784 #823260 #846404 #853040 #854722 #863335 #874307 #875051 #880484 #883223 #883795 #885422 #891844 #892490 #896390 #896391 #896779 #902346 #907818 #908382 #910251 #911325
Affected Products:	SUSE Linux Enterprise Server 10 SP4 LTSS

---

An update that fixes 39 vulnerabilities is now available.

Description:

The SUSE Linux Enterprise 10 SP4 LTSS kernel was updated to receive various security and bugfixes.

The following security bugs have been fixed:

• CVE-2015-2041: A information leak in the llc2_timeout_table was fixed (bnc#919007).
• CVE-2014-9322: arch/x86/kernel/entry_64.S in the Linux kernel did not properly handle faults associated with the Stack Segment (SS) segment register, which allowed local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space (bnc#910251).
• CVE-2014-9090: The do_double_fault function in arch/x86/kernel/traps.c in the Linux kernel did not properly handle faults associated with the Stack Segment (SS) segment register, which allowed local users to cause a denial of service (panic) via a modify_ldt system call, as demonstrated by sigreturn_32 in the 1-clock-tests test suite (bnc#907818).
• CVE-2014-4667: The sctp_association_free function in net/sctp/associola.c in the Linux kernel did not properly manage a certain backlog value, which allowed remote attackers to cause a denial of service (socket outage) via a crafted SCTP packet (bnc#885422).
• CVE-2014-3673: The SCTP implementation in the Linux kernel allowed remote attackers to cause a denial of service (system crash) via a malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and net/sctp/sm_statefuns.c (bnc#902346).
• CVE-2014-3185: Multiple buffer overflows in the command_port_read_callback function in drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial Driver in the Linux kernel allowed physically proximate attackers to execute arbitrary code or cause a denial of service (memory corruption and system crash) via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with a bulk response (bnc#896391).
• CVE-2014-3184: The report_fixup functions in the HID subsystem in the Linux kernel might have allowed physically proximate attackers to cause a denial of service (out-of-bounds write) via a crafted device that provides a small report descriptor, related to (1) drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3) drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c, (5) drivers/hid/hid-petalynx.c, and (6) drivers/hid/hid-sunplus.c (bnc#896390).
• CVE-2014-1874: The security_context_to_sid_core function in security/selinux/ss/services.c in the Linux kernel allowed local users to cause a denial of service (system crash) by leveraging the CAP_MAC_ADMIN capability to set a zero-length security context (bnc#863335).
• CVE-2014-0181: The Netlink implementation in the Linux kernel did not provide a mechanism for authorizing socket operations based on the opener of a socket, which allowed local users to bypass intended access restrictions and modify network configurations by using a Netlink socket for the (1) stdout or (2) stderr of a setuid program (bnc#875051).
• CVE-2013-4299: Interpretation conflict in drivers/md/dm-snap-persistent.c in the Linux kernel allowed remote authenticated users to obtain sensitive information or modify data via a crafted mapping to a snapshot block device (bnc#846404).
• CVE-2013-2147: The HP Smart Array controller disk-array driver and Compaq SMART2 controller disk-array driver in the Linux kernel did not initialize certain data structures, which allowed local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device, related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c (bnc#823260).
• CVE-2012-6657: The sock_setsockopt function in net/core/sock.c in the Linux kernel did not ensure that a keepalive action is associated with a stream socket, which allowed local users to cause a denial of service (system crash) by leveraging the ability to create a raw socket (bnc#896779).
• CVE-2012-3400: Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel allowed remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem (bnc#769784).
• CVE-2012-2319: Multiple buffer overflows in the hfsplus filesystem implementation in the Linux kernel allowed local users to gain privileges via a crafted HFS plus filesystem, a related issue to CVE-2009-4020 (bnc#760902).
• CVE-2012-2313: The rio_ioctl function in drivers/net/ethernet/dlink/dl2k.c in the Linux kernel did not restrict access to the SIOCSMIIREG command, which allowed local users to write data to an Ethernet adapter via an ioctl call (bnc#758813).
• CVE-2011-4132: The cleanup_journal_tail function in the Journaling Block Device (JBD) functionality in the Linux kernel 2.6 allowed local users to cause a denial of service (assertion error and kernel oops) via an ext3 or ext4 image with an "invalid log first block value" (bnc#730118).
• CVE-2011-4127: The Linux kernel did not properly restrict SG_IO ioctl calls, which allowed local users to bypass intended restrictions on disk read and write operations by sending a SCSI command to (1) a partition block device or (2) an LVM volume (bnc#738400).
• CVE-2011-1585: The cifs_find_smb_ses function in fs/cifs/connect.c in the Linux kernel did not properly determine the associations between users and sessions, which allowed local users to bypass CIFS share authentication by leveraging a mount of a share by a different user (bnc#687812).
• CVE-2011-1494: Integer overflow in the _ctl_do_mpt_command function in drivers/scsi/mpt2sas/mpt2sas_ctl.c in the Linux kernel might have allowed local users to gain privileges or cause a denial of service (memory corruption) via an ioctl call specifying a crafted value that triggers a heap-based buffer overflow (bnc#685402).
• CVE-2011-1495: drivers/scsi/mpt2sas/mpt2sas_ctl.c in the Linux kernel did not validate (1) length and (2) offset values before performing memory copy operations, which might allow local users to gain privileges, cause a denial of service (memory corruption), or obtain sensitive information from kernel memory via a crafted ioctl call, related to the _ctl_do_mpt_command and _ctl_diag_read_buffer functions (bnc#685402).
• CVE-2011-1493: Array index error in the rose_parse_national function in net/rose/rose_subr.c in the Linux kernel allowed remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact by composing FAC_NATIONAL_DIGIS data that specifies a large number of digipeaters, and then sending this data to a ROSE socket (bnc#681175).
• CVE-2011-4913: The rose_parse_ccitt function in net/rose/rose_subr.c in the Linux kernel did not validate the FAC_CCITT_DEST_NSAP and FAC_CCITT_SRC_NSAP fields, which allowed remote attackers to (1) cause a denial of service (integer underflow, heap memory corruption, and panic) via a small length value in data sent to a ROSE socket, or (2) conduct stack-based buffer overflow attacks via a large length value in data sent to a ROSE socket (bnc#681175).
• CVE-2011-4914: The ROSE protocol implementation in the Linux kernel did not verify that certain data-length values are consistent with the amount of data sent, which might allow remote attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) via crafted data to a ROSE socket (bnc#681175).
• CVE-2011-1476: Integer underflow in the Open Sound System (OSS) subsystem in the Linux kernel on unspecified non-x86 platforms allowed local users to cause a denial of service (memory corruption) by leveraging write access to /dev/sequencer (bnc#681999).
• CVE-2011-1477: Multiple array index errors in sound/oss/opl3.c in the Linux kernel allowed local users to cause a denial of service (heap memory corruption) or possibly gain privileges by leveraging write access to /dev/sequencer (bnc#681999).
• CVE-2011-1163: The osf_partition function in fs/partitions/osf.c in the Linux kernel did not properly handle an invalid number of partitions, which might allow local users to obtain potentially sensitive information from kernel heap memory via vectors related to partition-table parsing (bnc#679812).
• CVE-2011-1090: The __nfs4_proc_set_acl function in fs/nfs/nfs4proc.c in the Linux kernel stored NFSv4 ACL data in memory that is allocated by kmalloc but not properly freed, which allowed local users to cause a denial of service (panic) via a crafted attempt to set an ACL (bnc#677286).
• CVE-2014-9584: The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel did not validate a length value in the Extensions Reference (ER) System Use Field, which allowed local users to obtain sensitive information from kernel memory via a crafted iso9660 image (bnc#912654).
• CVE-2014-9420: The rock_continue function in fs/isofs/rock.c in the Linux kernel did not restrict the number of Rock Ridge continuation entries, which allowed local users to cause a denial of service (infinite loop, and system crash or hang) via a crafted iso9660 image (bnc#911325).
• CVE-2014-5471: Stack consumption vulnerability in the parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel allowed local users to cause a denial of service (uncontrolled recursion, and system crash or reboot) via a crafted iso9660 image with a CL entry referring to a directory entry that has a CL entry (bnc#892490).
• CVE-2014-5472: The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel allowed local users to cause a denial of service (unkillable mount process) via a crafted iso9660 image with a self-referential CL entry (bnc#892490).
• CVE-2014-3917: kernel/auditsc.c in the Linux kernel, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allowed local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS) via a large value of a syscall number (bnc#880484).
• CVE-2014-4652: Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel allowed local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access (bnc#883795).
• CVE-2014-4654: The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel did not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allowed local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by leveraging /dev/snd/controlCX access for an ioctl call (bnc#883795).
• CVE-2014-4655: The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel did not properly maintain the user_ctl_count value, which allowed local users to cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls (bnc#883795).
• CVE-2014-4653: sound/core/control.c in the ALSA control implementation in the Linux kernel did not ensure possession of a read/write lock, which allowed local users to cause a denial of service (use-after-free) and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access (bnc#883795).
• CVE-2014-4656: Multiple integer overflows in sound/core/control.c in the ALSA control implementation in the Linux kernel allowed local users to cause a denial of service by leveraging /dev/snd/controlCX access, related to (1) index values in the snd_ctl_add function and (2) numid values in the snd_ctl_remove_numid_conflict function (bnc#883795).

The following non-security bugs have been fixed:

• usb: class: cdc-acm: Be careful with bInterval (bnc#891844).
• Fix BUG due to racing lookups with reiserfs extended attribute backing directories (bnc#908382).
• reiserfs: eliminate per-super xattr lock (bnc#908382).
• reiserfs: eliminate private use of struct file in xattr (bnc#908382).
• reiserfs: Expand i_mutex to enclose lookup_one_len (bnc#908382).
• reiserfs: fix up lockdep warnings (bnc#908382).
• reiserfs: fix xattr root locking/refcount bug (bnc#908382).
• reiserfs: make per-inode xattr locking more fine grained (bnc#908382).
• reiserfs: remove IS_PRIVATE helpers (bnc#908382).
• reiserfs: simplify xattr internal file lookups/opens (bnc#908382).
• netfilter: TCP conntrack: improve dead connection detection (bnc#874307).
• Fix kABI breakage due to addition of user_ctl_lock (bnc#883795).
• isofs: Fix unchecked printing of ER records.
• kabi: protect struct ip_ct_tcp for bnc#874307 fix (bnc#874307).
• s390: fix system hang on shutdown because of sclp_con (bnc#883223).
• udf: Check component length before reading it.
• udf: Check path length when reading symlink.
• udf: Verify i_size when loading inode.
• udf: Verify symlink size before loading it.
• x86, 64-bit: Move K8 B step iret fixup to fault entry asm (preparatory patch).
• x86, asm: Flip RESTORE_ARGS arguments logic (preparatory patch).
• x86, asm: Thin down SAVE/RESTORE_* asm macros (preparatory patch).
• x86: move dwarf2 related macro to dwarf2.h (preparatory patch).
• xen: x86, asm: Flip RESTORE_ARGS arguments logic (preparatory patch).

Security Issues:

• CVE-2011-1090
• CVE-2011-1163
• CVE-2011-1476
• CVE-2011-1477
• CVE-2011-1493
• CVE-2011-1494
• CVE-2011-1495
• CVE-2011-1585
• CVE-2011-4127
• CVE-2011-4132
• CVE-2011-4913
• CVE-2011-4914
• CVE-2012-2313
• CVE-2012-2319
• CVE-2012-3400
• CVE-2012-6657
• CVE-2013-2147
• CVE-2013-4299
• CVE-2013-6405
• CVE-2013-6463
• CVE-2014-0181
• CVE-2014-1874
• CVE-2014-3184
• CVE-2014-3185
• CVE-2014-3673
• CVE-2014-3917
• CVE-2014-4652
• CVE-2014-4653
• CVE-2014-4654
• CVE-2014-4655
• CVE-2014-4656
• CVE-2014-4667
• CVE-2014-5471
• CVE-2014-5472
• CVE-2014-9090
• CVE-2014-9322
• CVE-2014-9420
• CVE-2014-9584
• CVE-2015-2041

Indications:

Everyone using the Linux Kernel on x86_64 architecture should update.

Special Instructions and Notes:

Please reboot the system after installing this update.

Package List:

• SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64):
  • kernel-default-2.6.16.60-0.132.1
  • kernel-source-2.6.16.60-0.132.1
  • kernel-syms-2.6.16.60-0.132.1
• SUSE Linux Enterprise Server 10 SP4 LTSS (i586 x86_64):
  • kernel-debug-2.6.16.60-0.132.1
  • kernel-kdump-2.6.16.60-0.132.1
  • kernel-smp-2.6.16.60-0.132.1
  • kernel-xen-2.6.16.60-0.132.1
• SUSE Linux Enterprise Server 10 SP4 LTSS (i586):
  • kernel-bigsmp-2.6.16.60-0.132.1
  • kernel-kdumppae-2.6.16.60-0.132.1
  • kernel-vmi-2.6.16.60-0.132.1
  • kernel-vmipae-2.6.16.60-0.132.1
  • kernel-xenpae-2.6.16.60-0.132.1

References:

• https://www.suse.com/security/cve/CVE-2011-1090.html
• https://www.suse.com/security/cve/CVE-2011-1163.html
• https://www.suse.com/security/cve/CVE-2011-1476.html
• https://www.suse.com/security/cve/CVE-2011-1477.html
• https://www.suse.com/security/cve/CVE-2011-1493.html
• https://www.suse.com/security/cve/CVE-2011-1494.html
• https://www.suse.com/security/cve/CVE-2011-1495.html
• https://www.suse.com/security/cve/CVE-2011-1585.html
• https://www.suse.com/security/cve/CVE-2011-4127.html
• https://www.suse.com/security/cve/CVE-2011-4132.html
• https://www.suse.com/security/cve/CVE-2011-4913.html
• https://www.suse.com/security/cve/CVE-2011-4914.html
• https://www.suse.com/security/cve/CVE-2012-2313.html
• https://www.suse.com/security/cve/CVE-2012-2319.html
• https://www.suse.com/security/cve/CVE-2012-3400.html
• https://www.suse.com/security/cve/CVE-2012-6657.html
• https://www.suse.com/security/cve/CVE-2013-2147.html
• https://www.suse.com/security/cve/CVE-2013-4299.html
• https://www.suse.com/security/cve/CVE-2013-6405.html
• https://www.suse.com/security/cve/CVE-2013-6463.html
• https://www.suse.com/security/cve/CVE-2014-0181.html
• https://www.suse.com/security/cve/CVE-2014-1874.html
• https://www.suse.com/security/cve/CVE-2014-3184.html
• https://www.suse.com/security/cve/CVE-2014-3185.html
• https://www.suse.com/security/cve/CVE-2014-3673.html
• https://www.suse.com/security/cve/CVE-2014-3917.html
• https://www.suse.com/security/cve/CVE-2014-4652.html
• https://www.suse.com/security/cve/CVE-2014-4653.html
• https://www.suse.com/security/cve/CVE-2014-4654.html
• https://www.suse.com/security/cve/CVE-2014-4655.html
• https://www.suse.com/security/cve/CVE-2014-4656.html
• https://www.suse.com/security/cve/CVE-2014-4667.html
• https://www.suse.com/security/cve/CVE-2014-5471.html
• https://www.suse.com/security/cve/CVE-2014-5472.html
• https://www.suse.com/security/cve/CVE-2014-9090.html
• https://www.suse.com/security/cve/CVE-2014-9322.html
• https://www.suse.com/security/cve/CVE-2014-9420.html
• https://www.suse.com/security/cve/CVE-2014-9584.html
• https://www.suse.com/security/cve/CVE-2015-2041.html
• https://bugzilla.suse.com/677286
• https://bugzilla.suse.com/679812
• https://bugzilla.suse.com/681175
• https://bugzilla.suse.com/681999
• https://bugzilla.suse.com/683282
• https://bugzilla.suse.com/685402
• https://bugzilla.suse.com/687812
• https://bugzilla.suse.com/730118
• https://bugzilla.suse.com/730200
• https://bugzilla.suse.com/738400
• https://bugzilla.suse.com/758813
• https://bugzilla.suse.com/760902
• https://bugzilla.suse.com/769784
• https://bugzilla.suse.com/823260
• https://bugzilla.suse.com/846404
• https://bugzilla.suse.com/853040
• https://bugzilla.suse.com/854722
• https://bugzilla.suse.com/863335
• https://bugzilla.suse.com/874307
• https://bugzilla.suse.com/875051
• https://bugzilla.suse.com/880484
• https://bugzilla.suse.com/883223
• https://bugzilla.suse.com/883795
• https://bugzilla.suse.com/885422
• https://bugzilla.suse.com/891844
• https://bugzilla.suse.com/892490
• https://bugzilla.suse.com/896390
• https://bugzilla.suse.com/896391
• https://bugzilla.suse.com/896779
• https://bugzilla.suse.com/902346
• https://bugzilla.suse.com/907818
• https://bugzilla.suse.com/908382
• https://bugzilla.suse.com/910251
• https://bugzilla.suse.com/911325
• https://download.suse.com/patch/finder/?keywords=15c960abc4733df91b510dfe4ba2ac6d
• https://download.suse.com/patch/finder/?keywords=2a99948c9c3be4a024a9fa4d408002be
• https://download.suse.com/patch/finder/?keywords=53c468d2b277f3335fcb5ddb08bda2e4