Security update for the Linux Kernel

SUSE Security Update: Security update for the Linux Kernel
Announcement ID: SUSE-SU-2016:2074-1
Rating: important
References: #816446 #861093 #928130 #935757 #939826 #942367 #945825 #946117 #946309 #948562 #949744 #949936 #951440 #952384 #953527 #954404 #955354 #955654 #956708 #956709 #958463 #958886 #958951 #959190 #959399 #961500 #961509 #961512 #963765 #963767 #964201 #966437 #966460 #966662 #966693 #967972 #967973 #967974 #967975 #968010 #968011 #968012 #968013 #968670 #970504 #970892 #970909 #970911 #970948 #970956 #970958 #970970 #971124 #971125 #971126 #971360 #972510 #973570 #975945 #977847 #978822
Affected Products:
  • SUSE Linux Enterprise Server 11-SP2-LTSS
  • SUSE Linux Enterprise Debuginfo 11-SP2

  • An update that solves 48 vulnerabilities and has 13 fixes is now available.

    Description:

    The SUSE Linux Enterprise 11 SP2 kernel was updated to receive various
    security and bug fixes.

    The following security bugs were fixed:
    - CVE-2016-4486: Fixed 4 byte information leak in net/core/rtnetlink.c
    (bsc#978822).
    - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not
    validate certain offset fields, which allowed local users to gain
    privileges or cause a denial of service (heap memory corruption) via an
    IPT_SO_SET_REPLACE setsockopt call (bnc#971126).
    - CVE-2016-2847: fs/pipe.c in the Linux kernel did not limit the amount of
    unread data in pipes, which allowed local users to cause a denial of
    service (memory consumption) by creating many pipes with non-default
    sizes (bnc#970948).
    - CVE-2016-2188: The iowarrior_probe function in
    drivers/usb/misc/iowarrior.c in the Linux kernel allowed physically
    proximate attackers to cause a denial of service (NULL pointer
    dereference and system crash) via a crafted endpoints value in a USB
    device descriptor (bnc#970956).
    - CVE-2016-3138: The acm_probe function in drivers/usb/class/cdc-acm.c in
    the Linux kernel allowed physically proximate attackers to cause a
    denial of service (NULL pointer dereference and system crash) via a USB
    device without both a control and a data endpoint descriptor
    (bnc#970911).
    - CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the Linux kernel
    allowed physically proximate attackers to cause a denial of service
    (NULL pointer dereference and system crash) via a USB device without
    both an interrupt-in and an interrupt-out endpoint descriptor, related
    to the cypress_generic_port_probe and cypress_open functions
    (bnc#970970).
    - CVE-2016-3140: The digi_port_init function in
    drivers/usb/serial/digi_acceleport.c in the Linux kernel allowed
    physically proximate attackers to cause a denial of service (NULL
    pointer dereference and system crash) via a crafted endpoints value in a
    USB device descriptor (bnc#970892).
    - CVE-2016-2186: The powermate_probe function in
    drivers/input/misc/powermate.c in the Linux kernel allowed physically
    proximate attackers to cause a denial of service (NULL pointer
    dereference and system crash) via a crafted endpoints value in a USB
    device descriptor (bnc#970958).
    - CVE-2016-2185: The ati_remote2_probe function in
    drivers/input/misc/ati_remote2.c in the Linux kernel allowed physically
    proximate attackers to cause a denial of service (NULL pointer
    dereference and system crash) via a crafted endpoints value in a USB
    device descriptor (bnc#971124).
    - CVE-2016-3156: The IPv4 implementation in the Linux kernel mishandles
    destruction of device objects, which allowed guest OS users to cause a
    denial of service (host OS networking outage) by arranging for a large
    number of IP addresses (bnc#971360).
    - CVE-2016-2184: The create_fixed_stream_quirk function in
    sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel
    allowed physically proximate attackers to cause a denial of service
    (NULL pointer dereference or double free, and system crash) via a
    crafted endpoints value in a USB device descriptor (bnc#971125).
    - CVE-2016-3139: The wacom_probe function in
    drivers/input/tablet/wacom_sys.c in the Linux kernel allowed physically
    proximate attackers to cause a denial of service (NULL pointer
    dereference and system crash) via a crafted endpoints value in a USB
    device descriptor (bnc#970909).
    - CVE-2016-2143: The fork implementation in the Linux kernel on s390
    platforms mishandled the case of four page-table levels, which allowed
    local users to cause a denial of service (system crash) or possibly have
    unspecified other impact via a crafted application, related to
    arch/s390/include/asm/mmu_context.h and arch/s390/include/asm/pgalloc.h
    (bnc#970504).
    - CVE-2016-2782: The treo_attach function in drivers/usb/serial/visor.c in
    the Linux kernel allowed physically proximate attackers to cause a
    denial of service (NULL pointer dereference and system crash) or
    possibly have unspecified other impact by inserting a USB device that
    lacks a (1) bulk-in or (2) interrupt-in endpoint (bnc#968670).
    - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in
    the Linux kernel did not properly maintain a hub-interface data
    structure, which allowed physically proximate attackers to cause a
    denial of service (invalid memory access and system crash) or possibly
    have unspecified other impact by unplugging a USB hub device
    (bnc#968010).
    - CVE-2015-7566: The clie_5_attach function in drivers/usb/serial/visor.c
    in the Linux kernel allowed physically proximate attackers to cause a
    denial of service (NULL pointer dereference and system crash) or
    possibly have unspecified other impact by inserting a USB device that
    lacks a bulk-out endpoint (bnc#961512).
    - CVE-2016-2549: sound/core/hrtimer.c in the Linux kernel did not prevent
    recursive callback access, which allowed local users to cause a denial
    of service (deadlock) via a crafted ioctl call (bnc#968013).
    - CVE-2016-2547: sound/core/timer.c in the Linux kernel employed a locking
    approach that did not consider slave timer instances, which allowed
    local users to cause a denial of service (race condition,
    use-after-free, and system crash) via a crafted ioctl call (bnc#968011).
    - CVE-2016-2548: sound/core/timer.c in the Linux kernel retained certain
    linked lists after a close or stop action, which allowed local users to
    cause a denial of service (system crash) via a crafted ioctl call,
    related to the (1) snd_timer_close and (2) _snd_timer_stop functions
    (bnc#968012).
    - CVE-2016-2546: sound/core/timer.c in the Linux kernel used an incorrect
    type of mutex, which allowed local users to cause a denial of service
    (race condition, use-after-free, and system crash) via a crafted ioctl
    call (bnc#967975).
    - CVE-2016-2545: The snd_timer_interrupt function in sound/core/timer.c in
    the Linux kernel did not properly maintain a certain linked list, which
    allowed local users to cause a denial of service (race condition and
    system crash) via a crafted ioctl call (bnc#967974).
    - CVE-2016-2544: Race condition in the queue_delete function in
    sound/core/seq/seq_queue.c in the Linux kernel allowed local users to
    cause a denial of service (use-after-free and system crash) by making an
    ioctl call at a certain time (bnc#967973).
    - CVE-2016-2543: The snd_seq_ioctl_remove_events function in
    sound/core/seq/seq_clientmgr.c in the Linux kernel did not verify FIFO
    assignment before proceeding with FIFO clearing, which allowed local
    users to cause a denial of service (NULL pointer dereference and OOPS)
    via a crafted ioctl call (bnc#967972).
    - CVE-2016-2384: Double free vulnerability in the snd_usbmidi_create
    function in sound/usb/midi.c in the Linux kernel allowed physically
    proximate attackers to cause a denial of service (panic) or possibly
    have unspecified other impact via vectors involving an invalid USB
    descriptor (bnc#966693).
    - CVE-2015-8812: drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel
    did not properly identify error conditions, which allowed remote
    attackers to execute arbitrary code or cause a denial of service
    (use-after-free) via crafted packets (bnc#966437).
    - CVE-2015-8785: The fuse_fill_write_pages function in fs/fuse/file.c in
    the Linux kernel allowed local users to cause a denial of service
    (infinite loop) via a writev system call that triggers a zero length for
    the first segment of an iov (bnc#963765).
    - CVE-2016-2069: Race condition in arch/x86/mm/tlb.c in the Linux kernel
    .4.1 allowed local users to gain privileges by triggering access to a
    paging structure by a different CPU (bnc#963767).
    - CVE-2016-0723: Race condition in the tty_ioctl function in
    drivers/tty/tty_io.c in the Linux kernel allowed local users to obtain
    sensitive information from kernel memory or cause a denial of service
    (use-after-free and system crash) by making a TIOCGETD ioctl call during
    processing of a TIOCSETD ioctl call (bnc#961500).
    - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the
    Linux kernel allowed local users to bypass intended AF_UNIX socket
    permissions or cause a denial of service (panic) via crafted epoll_ctl
    calls (bnc#955654).
    - CVE-2015-8767: net/sctp/sm_sideeffect.c in the Linux kernel did not
    properly manage the relationship between a lock and a socket, which
    allowed local users to cause a denial of service (deadlock) via a
    crafted sctp_accept call (bnc#961509).
    - CVE-2015-7515: The aiptek_probe function in
    drivers/input/tablet/aiptek.c in the Linux kernel allowed physically
    proximate attackers to cause a denial of service (NULL pointer
    dereference and system crash) via a crafted USB device that lacks
    endpoints (bnc#956708).
    - CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel
    did not validate attempted changes to the MTU value, which allowed
    context-dependent attackers to cause a denial of service (packet loss)
    via a value that is (1) smaller than the minimum compliant value or (2)
    larger than the MTU of an interface, as demonstrated by a Router
    Advertisement (RA) message that is not validated by a daemon, a
    different vulnerability than CVE-2015-0272 (bnc#955354).
    - CVE-2015-7550: The keyctl_read_key function in security/keys/keyctl.c in
    the Linux kernel did not properly use a semaphore, which allowed local
    users to cause a denial of service (NULL pointer dereference and system
    crash) or possibly have unspecified other impact via a crafted
    application that leverages a race condition between keyctl_revoke and
    keyctl_read calls (bnc#958951).
    - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect functions in
    drivers/net/ppp/pptp.c in the Linux kernel did not verify an address
    length, which allowed local users to obtain sensitive information from
    kernel memory and bypass the KASLR protection mechanism via a crafted
    application (bnc#959190).
    - CVE-2015-8575: The sco_sock_bind function in net/bluetooth/sco.c in the
    Linux kernel did not verify an address length, which allowed local users
    to obtain sensitive information from kernel memory and bypass the KASLR
    protection mechanism via a crafted application (bnc#959399).
    - CVE-2015-8543: The networking implementation in the Linux kernel did not
    validate protocol identifiers for certain protocol families, which
    allowed local users to cause a denial of service (NULL function pointer
    dereference and system crash) or possibly gain privileges by leveraging
    CLONE_NEWUSER support to execute a crafted SOCK_RAW application
    (bnc#958886).
    - CVE-2015-8539: The KEYS subsystem in the Linux kernel allowed local
    users to gain privileges or cause a denial of service (BUG) via crafted
    keyctl commands that negatively instantiate a key, related to
    security/keys/encrypted-keys/encrypted.c, security/keys/trusted.c, and
    security/keys/user_defined.c (bnc#958463).
    - CVE-2015-7509: fs/ext4/namei.c in the Linux kernel allowed physically
    proximate attackers to cause a denial of service (system crash) via a
    crafted no-journal filesystem, a related issue to CVE-2013-2015
    (bnc#956709).
    - CVE-2015-7799: The slhc_init function in drivers/net/slip/slhc.c in the
    Linux kernel did not ensure that certain slot numbers are valid, which
    allowed local users to cause a denial of service (NULL pointer
    dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call
    (bnc#949936).
    - CVE-2015-8104: The KVM subsystem in the Linux kernel allowed guest OS
    users to cause a denial of service (host OS panic or hang) by triggering
    many #DB (aka Debug) exceptions, related to svm.c (bnc#954404).
    - CVE-2015-5307: The KVM subsystem in the Linux kernel allowed guest OS
    users to cause a denial of service (host OS panic or hang) by triggering
    many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c
    (bnc#953527).
    - CVE-2015-7990: Race condition in the rds_sendmsg function in
    net/rds/sendmsg.c in the Linux kernel allowed local users to cause a
    denial of service (NULL pointer dereference and system crash) or
    possibly have unspecified other impact by using a socket that was not
    properly bound (bnc#952384).
    - CVE-2015-7872: The key_gc_unused_keys function in security/keys/gc.c in
    the Linux kernel allowed local users to cause a denial of service (OOPS)
    via crafted keyctl commands (bnc#951440).
    - CVE-2015-6937: The __rds_conn_create function in net/rds/connection.c in
    the Linux kernel allowed local users to cause a denial of service (NULL
    pointer dereference and system crash) or possibly have unspecified other
    impact by using a socket that was not properly bound (bnc#945825).
    - CVE-2015-6252: The vhost_dev_ioctl function in drivers/vhost/vhost.c in
    the Linux kernel allowed local users to cause a denial of service
    (memory consumption) via a VHOST_SET_LOG_FD ioctl call that triggers
    permanent file-descriptor allocation (bnc#942367).
    - CVE-2015-3339: Race condition in the prepare_binprm function in
    fs/exec.c in the Linux kernel allowed local users to gain privileges by
    executing a setuid program at a time instant when a chown to root is in
    progress, and the ownership is changed but the setuid bit is not yet
    stripped (bnc#928130).

    The following non-security bugs were fixed:
    - Fix handling of re-write-before-commit for mmapped NFS pages
    (bsc#964201).
    - Fix lpfc_send_rscn_event allocation size claims bnc#935757
    - Fix ntpd clock synchronization in Xen PV domains (bnc#816446).
    - Fix vmalloc_fault oops during lazy MMU updates (bsc#948562).
    - Make sure XPRT_CONNECTING gets cleared when needed (bsc#946309).
    - SCSI: bfa: Fix to handle firmware tskim abort request response
    (bsc#972510).
    - USB: usbip: fix potential out-of-bounds write (bnc#975945).
    - af_unix: Guard against other == sk in unix_dgram_sendmsg (bsc#973570).
    - dm-snap: avoid deadock on s->lock when a read is split (bsc#939826).
    - mm/hugetlb: check for pte NULL pointer in __page_check_address()
    (bsc#977847).
    - nf_conntrack: fix bsc#758540 kabi fix (bsc#946117).
    - privcmd: allow preempting long running user-mode originating hypercalls
    (bnc#861093).
    - s390/cio: collect format 1 channel-path description data (bsc#966460,
    bsc#966662).
    - s390/cio: ensure consistent measurement state (bsc#966460, bsc#966662).
    - s390/cio: fix measurement characteristics memleak (bsc#966460,
    bsc#966662).
    - s390/cio: update measurement characteristics (bsc#966460, bsc#966662).
    - xfs: Fix lost direct IO write in the last block (bsc#949744).

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Server 11-SP2-LTSS:
      zypper in -t patch slessp2-kernel-source-12693=1
    • SUSE Linux Enterprise Debuginfo 11-SP2:
      zypper in -t patch dbgsp2-kernel-source-12693=1

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64):
      • kernel-default-3.0.101-0.7.40.1
      • kernel-default-base-3.0.101-0.7.40.1
      • kernel-default-devel-3.0.101-0.7.40.1
      • kernel-source-3.0.101-0.7.40.1
      • kernel-syms-3.0.101-0.7.40.1
      • kernel-trace-3.0.101-0.7.40.1
      • kernel-trace-base-3.0.101-0.7.40.1
      • kernel-trace-devel-3.0.101-0.7.40.1
    • SUSE Linux Enterprise Server 11-SP2-LTSS (i586 x86_64):
      • kernel-ec2-3.0.101-0.7.40.1
      • kernel-ec2-base-3.0.101-0.7.40.1
      • kernel-ec2-devel-3.0.101-0.7.40.1
      • kernel-xen-3.0.101-0.7.40.1
      • kernel-xen-base-3.0.101-0.7.40.1
      • kernel-xen-devel-3.0.101-0.7.40.1
    • SUSE Linux Enterprise Server 11-SP2-LTSS (s390x):
      • kernel-default-man-3.0.101-0.7.40.1
    • SUSE Linux Enterprise Server 11-SP2-LTSS (i586):
      • kernel-pae-3.0.101-0.7.40.1
      • kernel-pae-base-3.0.101-0.7.40.1
      • kernel-pae-devel-3.0.101-0.7.40.1
    • SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64):
      • kernel-default-debuginfo-3.0.101-0.7.40.1
      • kernel-default-debugsource-3.0.101-0.7.40.1
      • kernel-default-devel-debuginfo-3.0.101-0.7.40.1
      • kernel-trace-debuginfo-3.0.101-0.7.40.1
      • kernel-trace-debugsource-3.0.101-0.7.40.1
      • kernel-trace-devel-debuginfo-3.0.101-0.7.40.1
    • SUSE Linux Enterprise Debuginfo 11-SP2 (i586 x86_64):
      • kernel-ec2-debuginfo-3.0.101-0.7.40.1
      • kernel-ec2-debugsource-3.0.101-0.7.40.1
      • kernel-xen-debuginfo-3.0.101-0.7.40.1
      • kernel-xen-debugsource-3.0.101-0.7.40.1
      • kernel-xen-devel-debuginfo-3.0.101-0.7.40.1
    • SUSE Linux Enterprise Debuginfo 11-SP2 (i586):
      • kernel-pae-debuginfo-3.0.101-0.7.40.1
      • kernel-pae-debugsource-3.0.101-0.7.40.1
      • kernel-pae-devel-debuginfo-3.0.101-0.7.40.1

    References: