openSUSE Security Update: kernel: security and bugfix update ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0957-1 Rating: important References: #788080 #867531 #867723 #877257 #880484 #882189 #883518 #883724 #883795 #885422 #885725 Cross-References: CVE-2014-0131 CVE-2014-2309 CVE-2014-3144 CVE-2014-3145 CVE-2014-3917 CVE-2014-4014 CVE-2014-4171 CVE-2014-4508 CVE-2014-4652 CVE-2014-4653 CVE-2014-4654 CVE-2014-4655 CVE-2014-4656 CVE-2014-4667 CVE-2014-4699 Affected Products: openSUSE 12.3 ______________________________________________________________________________ An update that fixes 15 vulnerabilities is now available. Description: The Linux Kernel was updated to fix various bugs and security issues. CVE-2014-4699: The Linux kernel on Intel processors did not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allowed local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls. CVE-2014-4667: The sctp_association_free function in net/sctp/associola.c in the Linux kernel did not properly manage a certain backlog value, which allowed remote attackers to cause a denial of service (socket outage) via a crafted SCTP packet. CVE-2014-4171: mm/shmem.c in the Linux kernel did not properly implement the interaction between range notification and hole punching, which allowed local users to cause a denial of service (i_mutex hold) by using the mmap system call to access a hole, as demonstrated by interfering with intended shmem activity by blocking completion of (1) an MADV_REMOVE madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call. CVE-2014-4508: arch/x86/kernel/entry_32.S in the Linux kernel on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allowed local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. CVE-2014-4656: Multiple integer overflows in sound/core/control.c in the ALSA control implementation in the Linux kernel allowed local users to cause a denial of service by leveraging /dev/snd/controlCX access, related to (1) index values in the snd_ctl_add function and (2) numid values in the snd_ctl_remove_numid_conflict function. CVE-2014-4655: The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel did not properly maintain the user_ctl_count value, which allowed local users to cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls. CVE-2014-4654: The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel did not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allowed local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by leveraging /dev/snd/controlCX access for an ioctl call. CVE-2014-4653: sound/core/control.c in the ALSA control implementation in the Linux kernel did not ensure possession of a read/write lock, which allowed local users to cause a denial of service (use-after-free) and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. CVE-2014-4652: Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel allowed local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. CVE-2014-4014: The capabilities implementation in the Linux kernel did not properly consider that namespaces are inapplicable to inodes, which allowed local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root. CVE-2014-2309: The ip6_route_add function in net/ipv6/route.c in the Linux kernel did not properly count the addition of routes, which allowed remote attackers to cause a denial of service (memory consumption) via a flood of ICMPv6 Router Advertisement packets. CVE-2014-3917: kernel/auditsc.c in the Linux kernel, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allowed local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS) via a large value of a syscall number. CVE-2014-0131: Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel allowed attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation. CVE-2014-3144: The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension implementations in the sk_run_filter function in net/core/filter.c in the Linux kernel did not check whether a certain length value is sufficiently large, which allowed local users to cause a denial of service (integer underflow and system crash) via crafted BPF instructions. CVE-2014-3145: The BPF_S_ANC_NLATTR_NEST extension implementation in the sk_run_filter function in net/core/filter.c in the Linux kernel used the reverse order in a certain subtraction, which allowed local users to cause a denial of service (over-read and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr_nest function before the vulnerability was announced. Additional Bug fixed: - HID: logitech-dj: Fix USB 3.0 issue (bnc#788080). Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.3: zypper in -t patch openSUSE-2014-478 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.3 (i586 x86_64): kernel-default-3.7.10-1.40.1 kernel-default-base-3.7.10-1.40.1 kernel-default-base-debuginfo-3.7.10-1.40.1 kernel-default-debuginfo-3.7.10-1.40.1 kernel-default-debugsource-3.7.10-1.40.1 kernel-default-devel-3.7.10-1.40.1 kernel-default-devel-debuginfo-3.7.10-1.40.1 kernel-syms-3.7.10-1.40.1 - openSUSE 12.3 (i686 x86_64): kernel-debug-3.7.10-1.40.1 kernel-debug-base-3.7.10-1.40.1 kernel-debug-base-debuginfo-3.7.10-1.40.1 kernel-debug-debuginfo-3.7.10-1.40.1 kernel-debug-debugsource-3.7.10-1.40.1 kernel-debug-devel-3.7.10-1.40.1 kernel-debug-devel-debuginfo-3.7.10-1.40.1 kernel-desktop-3.7.10-1.40.1 kernel-desktop-base-3.7.10-1.40.1 kernel-desktop-base-debuginfo-3.7.10-1.40.1 kernel-desktop-debuginfo-3.7.10-1.40.1 kernel-desktop-debugsource-3.7.10-1.40.1 kernel-desktop-devel-3.7.10-1.40.1 kernel-desktop-devel-debuginfo-3.7.10-1.40.1 kernel-ec2-3.7.10-1.40.1 kernel-ec2-base-3.7.10-1.40.1 kernel-ec2-base-debuginfo-3.7.10-1.40.1 kernel-ec2-debuginfo-3.7.10-1.40.1 kernel-ec2-debugsource-3.7.10-1.40.1 kernel-ec2-devel-3.7.10-1.40.1 kernel-ec2-devel-debuginfo-3.7.10-1.40.1 kernel-trace-3.7.10-1.40.1 kernel-trace-base-3.7.10-1.40.1 kernel-trace-base-debuginfo-3.7.10-1.40.1 kernel-trace-debuginfo-3.7.10-1.40.1 kernel-trace-debugsource-3.7.10-1.40.1 kernel-trace-devel-3.7.10-1.40.1 kernel-trace-devel-debuginfo-3.7.10-1.40.1 kernel-vanilla-3.7.10-1.40.1 kernel-vanilla-debuginfo-3.7.10-1.40.1 kernel-vanilla-debugsource-3.7.10-1.40.1 kernel-vanilla-devel-3.7.10-1.40.1 kernel-vanilla-devel-debuginfo-3.7.10-1.40.1 kernel-xen-3.7.10-1.40.1 kernel-xen-base-3.7.10-1.40.1 kernel-xen-base-debuginfo-3.7.10-1.40.1 kernel-xen-debuginfo-3.7.10-1.40.1 kernel-xen-debugsource-3.7.10-1.40.1 kernel-xen-devel-3.7.10-1.40.1 kernel-xen-devel-debuginfo-3.7.10-1.40.1 - openSUSE 12.3 (noarch): kernel-devel-3.7.10-1.40.1 kernel-docs-3.7.10-1.40.2 kernel-source-3.7.10-1.40.1 kernel-source-vanilla-3.7.10-1.40.1 - openSUSE 12.3 (i686): kernel-pae-3.7.10-1.40.1 kernel-pae-base-3.7.10-1.40.1 kernel-pae-base-debuginfo-3.7.10-1.40.1 kernel-pae-debuginfo-3.7.10-1.40.1 kernel-pae-debugsource-3.7.10-1.40.1 kernel-pae-devel-3.7.10-1.40.1 kernel-pae-devel-debuginfo-3.7.10-1.40.1 References: http://support.novell.com/security/cve/CVE-2014-0131.html http://support.novell.com/security/cve/CVE-2014-2309.html http://support.novell.com/security/cve/CVE-2014-3144.html http://support.novell.com/security/cve/CVE-2014-3145.html http://support.novell.com/security/cve/CVE-2014-3917.html http://support.novell.com/security/cve/CVE-2014-4014.html http://support.novell.com/security/cve/CVE-2014-4171.html http://support.novell.com/security/cve/CVE-2014-4508.html http://support.novell.com/security/cve/CVE-2014-4652.html http://support.novell.com/security/cve/CVE-2014-4653.html http://support.novell.com/security/cve/CVE-2014-4654.html http://support.novell.com/security/cve/CVE-2014-4655.html http://support.novell.com/security/cve/CVE-2014-4656.html http://support.novell.com/security/cve/CVE-2014-4667.html http://support.novell.com/security/cve/CVE-2014-4699.html https://bugzilla.novell.com/788080 https://bugzilla.novell.com/867531 https://bugzilla.novell.com/867723 https://bugzilla.novell.com/877257 https://bugzilla.novell.com/880484 https://bugzilla.novell.com/882189 https://bugzilla.novell.com/883518 https://bugzilla.novell.com/883724 https://bugzilla.novell.com/883795 https://bugzilla.novell.com/885422 https://bugzilla.novell.com/885725 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org