[security-announce] SUSE-SU-2016:1707-1: important: Security update for the Linux Kernel

30 Jun 2016

      SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID:    SUSE-SU-2016:1707-1
Rating:             important
References:         #898592 #940413 #946122 #949752 #956852 #957988 
                    #957990 #959381 #960458 #961512 #963998 #965319 
                    #965860 #965923 #967863 #968010 #968018 #968141 
                    #968566 #968670 #968687 #969356 #970504 #970892 
                    #970909 #970911 #970948 #970956 #970958 #970970 
                    #971124 #971125 #971360 #971433 #971729 #972363 
                    #973237 #973378 #973556 #973570 #975772 #975945 

Cross-References:   CVE-2015-1339 CVE-2015-7566 CVE-2015-8551
                    CVE-2015-8552 CVE-2015-8816 CVE-2016-2143
                    CVE-2016-2184 CVE-2016-2185 CVE-2016-2186
                    CVE-2016-2188 CVE-2016-2782 CVE-2016-2847
                    CVE-2016-3137 CVE-2016-3138 CVE-2016-3139
                    CVE-2016-3140 CVE-2016-3156
Affected Products:
                    SUSE Linux Enterprise Real Time Extension 11-SP4
                    SUSE Linux Enterprise Debuginfo 11-SP4
______________________________________________________________________________

   An update that solves 17 vulnerabilities and has 25 fixes
   is now available.

Description:

   The SUSE Linux Enterprise 11 SP4 Realtime kernel was updated to receive
   various security and bugfixes.

   The following security bugs were fixed:
   - CVE-2015-1339: Memory leak in the cuse_channel_release function in
     fs/fuse/cuse.c in the Linux kernel allowed local users to cause a denial
     of service (memory consumption) or possibly have unspecified other
      impact by opening /dev/cuse many times (bnc#969356).
   - CVE-2015-7566: The clie_5_attach function in drivers/usb/serial/visor.c
     in the Linux kernel allowed physically proximate attackers to cause a
     denial of service (NULL pointer dereference and system crash) or
     possibly have unspecified other impact by inserting a USB device that
     lacks a bulk-out endpoint (bnc#961512).
   - CVE-2015-8551: The PCI backend driver in Xen, when running on an x86
     system and using Linux 3.1.x through 4.3.x as the driver domain, allowed
     local guest administrators to hit BUG conditions and cause a denial of
     service (NULL pointer dereference and host OS crash) by leveraging a
     system with access to a passed-through MSI or MSI-X capable physical PCI
     device and a crafted sequence of XEN_PCI_OP_* operations, aka "Linux
     pciback missing sanity checks (bnc#957990).
   - CVE-2015-8552: The PCI backend driver in Xen, when running on an x86
     system and using Linux 3.1.x through 4.3.x as the driver domain, allowed
     local guest administrators to generate a continuous stream
     of WARN messages and cause a denial of service (disk consumption) by
      leveraging a system with access to a passed-through MSI or MSI-X
      capable physical PCI device and XEN_PCI_OP_enable_msi operations, aka
      "Linux pciback missing sanity checks (bnc#957990).
   - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in
     the Linux kernel did not properly maintain a hub-interface data
     structure, which allowed physically proximate attackers to cause a
     denial of service (invalid memory access and system crash) or possibly
     have unspecified
     other impact by unplugging a USB hub device (bnc#968010).
   - CVE-2016-2143: The fork implementation in the Linux kernel on s390
     platforms mishandles the case of four page-table levels, which allowed
     local users to cause a denial of service (system crash) or possibly have
     unspecified other impact via a crafted application, related to
     arch/s390/include/asm/mmu_context.h and arch/s390/include/asm/pgalloc.h
     (bnc#970504).
   - CVE-2016-2184: The create_fixed_stream_quirk function in
     sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel
     allowed physically proximate attackers to cause a denial of service
     (NULL pointer dereference or double free, and system crash) via a
     crafted endpoints value in a USB device descriptor (bnc#971125).
   - CVE-2016-2185: The ati_remote2_probe function in
     drivers/input/misc/ati_remote2.c in the Linux kernel allowed physically
     proximate attackers to cause a denial of service (NULL pointer
     dereference and system crash) via a crafted endpoints value in a USB
     device descriptor (bnc#971124).
   - CVE-2016-2186: The powermate_probe function in
     drivers/input/misc/powermate.c in the Linux kernel allowed physically
     proximate attackers to cause a denial of service (NULL pointer
     dereference and system crash) via a crafted endpoints value in a USB
     device descriptor (bnc#970958).
   - CVE-2016-2188: The iowarrior_probe function in
     drivers/usb/misc/iowarrior.c in the Linux kernel allowed physically
     proximate attackers to cause a denial of service (NULL pointer
     dereference and system crash) via a crafted endpoints value in a USB
     device descriptor (bnc#970956).
   - CVE-2016-2782: The treo_attach function in drivers/usb/serial/visor.c in
     the Linux kernel allowed physically proximate attackers to cause a
     denial of service (NULL pointer dereference and system crash) or
     possibly have unspecified other impact by inserting a USB device that
     lacks a (1) bulk-in or (2) interrupt-in endpoint (bnc#968670).
   - CVE-2016-2847: fs/pipe.c in the Linux kernel did not limit the amount
     of unread data in pipes, which allowed local users to cause a denial of
      service (memory consumption) by creating many pipes with non-default
      sizes (bnc#970948).
   - CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the Linux kernel
     allowed physically proximate attackers to cause a denial of service
     (NULL pointer dereference and system crash) via a USB device without
     both an interrupt-in and an interrupt-out endpoint descriptor, related
     to the cypress_generic_port_probe and cypress_open functions
     (bnc#970970).
   - CVE-2016-3138: The acm_probe function in drivers/usb/class/cdc-acm.c in
     the Linux kernel allowed physically proximate attackers to cause a
     denial of service (NULL pointer dereference and system crash) via a USB
     device without both a control and a data endpoint descriptor
     (bnc#970911).
   - CVE-2016-3139: The wacom_probe function in
     drivers/input/tablet/wacom_sys.c in the Linux kernel allowed physically
     proximate attackers to cause a denial of service (NULL pointer
     dereference and system crash) via a crafted endpoints value in a USB
     device descriptor (bnc#970909).
   - CVE-2016-3140: The digi_port_init function in
     drivers/usb/serial/digi_acceleport.c in the Linux kernel allowed
     physically proximate attackers to cause a denial of service (NULL
     pointer dereference and system crash) via a crafted endpoints value in a
     USB device descriptor (bnc#970892).
   - CVE-2016-3156: The IPv4 implementation in the Linux kernel mishandles
     destruction of device objects, which allowed guest OS users to cause a
     denial of service (host OS networking outage) by arranging for a large
     number of IP addresses (bnc#971360).

   The following non-security bugs were fixed:
   - acpi / pci: Account for ARI in _PRT lookups (bsc#968566).
   - af_unix: Guard against other == sk in unix_dgram_sendmsg (bsc#973570).
   - alsa: pcm: Fix potential deadlock in OSS emulation (bsc#968018).
   - alsa: rawmidi: Fix race at copying & updating the position (bsc#968018).
   - alsa: rawmidi: Make snd_rawmidi_transmit() race-free (bsc#968018).
   - alsa: seq: Fix double port list deletion (bsc#968018).
   - alsa: seq: Fix incorrect sanity check at snd_seq_oss_synth_cleanup()
     (bsc#968018).
   - alsa: seq: Fix leak of pool buffer at concurrent writes (bsc#968018).
   - alsa: seq: Fix lockdep warnings due to double mutex locks (bsc#968018).
   - alsa: seq: Fix race at closing in virmidi driver (bsc#968018).
   - alsa: seq: Fix yet another races among ALSA timer accesses (bsc#968018).
   - alsa: timer: Call notifier in the same spinlock (bsc#973378).
   - alsa: timer: Code cleanup (bsc#968018).
   - alsa: timer: Fix leftover link at closing (bsc#968018).
   - alsa: timer: Fix link corruption due to double start or stop
     (bsc#968018).
   - alsa: timer: Fix race between stop and interrupt (bsc#968018).
   - alsa: timer: Fix wrong instance passed to slave callbacks (bsc#968018).
   - alsa: timer: Protect the whole snd_timer_close() with open race
     (bsc#973378).
   - alsa: timer: Sync timer deletion at closing the system timer
     (bsc#973378).
   - alsa: timer: Use mod_timer() for rearming the system timer (bsc#973378).
   - dcache: use IS_ROOT to decide where dentry is hashed (bsc#949752).
   - fs, seqfile: always allow oom killer (bnc#968687).
   - fs/seq_file: fallback to vmalloc allocation (bnc#968687).
   - fs, seq_file: fallback to vmalloc instead of oom kill processes
     (bnc#968687).
   - hpsa: fix issues with multilun devices (bsc#959381).
   - ibmvscsi: Remove unsupported host config MAD (bsc#973556).
   - iommu/vt-d: Improve fault handler error messages (bsc#975772).
   - iommu/vt-d: Ratelimit fault handler (bsc#975772).
   - ipv6: make fib6 serial number per namespace (bsc#965319).
   - ipv6: mld: fix add_grhead skb_over_panic for devs with large MTUs
     (bsc#956852).
   - ipv6: per netns fib6 walkers (bsc#965319).
   - ipv6: per netns FIB garbage collection (bsc#965319).
   - ipv6: replace global gc_args with local variable (bsc#965319).
   - kabi, fs/seq_file: fallback to vmalloc allocation (bnc#968687).
   - kabi: Import kabi files from kernel 3.0.101-71
   - kabi: protect struct netns_ipv6 after FIB6 GC series (bsc#965319).
   - kabi: Restore kabi after lock-owner change (bnc#968141).
   - llist: Add llist_next() (fate#316876).
   - make vfree() safe to call from interrupt contexts (fate#316876).
   - mld, igmp: Fix reserved tailroom calculation (bsc#956852).
   - net/core: dev_mc_sync_multiple calls wrong helper (bsc#971433).
   - net/core: __hw_addr_create_ex does not initialize sync_cnt (bsc#971433).
   - net/core: __hw_addr_sync_one / _multiple broken (bsc#971433).
   - net/core: __hw_addr_unsync_one "from" address not marked synced
     (bsc#971433).
   - nfs4: treat lock owners as opaque values (bnc#968141).
   - nfsd4: return nfserr_symlink on v4 OPEN of non-regular file (bsc#973237).
   - nfsd: do not fail unchecked creates of non-special files (bsc#973237).
   - nfs: use smaller allocations for 'struct idmap' (bsc#965923).
   - pciback: check PF instead of VF for PCI_COMMAND_MEMORY (bsc#957990).
   - pciback: Save the number of MSI-X entries to be copied later
     (bsc#957988).
   - pci: Move pci_ari_enabled() to global header (bsc#968566).
   - pci: Update PCI VPD size patch to upstream: - PCI: Determine actual VPD
     size on first access (bsc#971729). - PCI: Update VPD definitions
     (bsc#971729).
   - rdma/ucma: Fix AB-BA deadlock (bsc#963998).
   - s390/pageattr: Do a single TLB flush for change_page_attr (bsc#940413).
   - scsi_dh_alua: Do not block request queue if workqueue is active
     (bsc#960458).
   - scsi: mpt2sas: Rearrange the the code so that the completion queues are
     initialized prior to sending the request to controller firmware
     (bsc#967863).
   - skb: Add inline helper for getting the skb end offset from head
     (bsc#956852).
   - tcp: avoid order-1 allocations on wifi and tx path (bsc#956852).
   - tcp: fix skb_availroom() (bsc#956852).
   - usb: usbip: fix potential out-of-bounds write (bnc#975945).
   - vmxnet3: set carrier state properly on probe (bsc#972363).
   - vmxnet3: set netdev parant device before calling netdev_info
     (bsc#972363).
   - xfrm: do not segment UFO packets (bsc#946122).
   - xfs: fix sgid inheritance for subdirectories inheriting default acls
     [V3] (bsc#965860).
   - xhci: Workaround to get Intel xHCI reset working more reliably
     (bnc#898592).

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Real Time Extension 11-SP4:

      zypper in -t patch slertesp4-kernel-rt-12636=1

   - SUSE Linux Enterprise Debuginfo 11-SP4:

      zypper in -t patch dbgsp4-kernel-rt-12636=1

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Linux Enterprise Real Time Extension 11-SP4 (x86_64):

      kernel-rt-3.0.101.rt130-54.1
      kernel-rt-base-3.0.101.rt130-54.1
      kernel-rt-devel-3.0.101.rt130-54.1
      kernel-rt_trace-3.0.101.rt130-54.1
      kernel-rt_trace-base-3.0.101.rt130-54.1
      kernel-rt_trace-devel-3.0.101.rt130-54.1
      kernel-source-rt-3.0.101.rt130-54.1
      kernel-syms-rt-3.0.101.rt130-54.1

   - SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64):

      kernel-rt-debuginfo-3.0.101.rt130-54.1
      kernel-rt-debugsource-3.0.101.rt130-54.1
      kernel-rt_debug-debuginfo-3.0.101.rt130-54.1
      kernel-rt_debug-debugsource-3.0.101.rt130-54.1
      kernel-rt_trace-debuginfo-3.0.101.rt130-54.1
      kernel-rt_trace-debugsource-3.0.101.rt130-54.1

References:

   https://www.suse.com/security/cve/CVE-2015-1339.html
   https://www.suse.com/security/cve/CVE-2015-7566.html
   https://www.suse.com/security/cve/CVE-2015-8551.html
   https://www.suse.com/security/cve/CVE-2015-8552.html
   https://www.suse.com/security/cve/CVE-2015-8816.html
   https://www.suse.com/security/cve/CVE-2016-2143.html
   https://www.suse.com/security/cve/CVE-2016-2184.html
   https://www.suse.com/security/cve/CVE-2016-2185.html
   https://www.suse.com/security/cve/CVE-2016-2186.html
   https://www.suse.com/security/cve/CVE-2016-2188.html
   https://www.suse.com/security/cve/CVE-2016-2782.html
   https://www.suse.com/security/cve/CVE-2016-2847.html
   https://www.suse.com/security/cve/CVE-2016-3137.html
   https://www.suse.com/security/cve/CVE-2016-3138.html
   https://www.suse.com/security/cve/CVE-2016-3139.html
   https://www.suse.com/security/cve/CVE-2016-3140.html
   https://www.suse.com/security/cve/CVE-2016-3156.html
   https://bugzilla.suse.com/898592
   https://bugzilla.suse.com/940413
   https://bugzilla.suse.com/946122
   https://bugzilla.suse.com/949752
   https://bugzilla.suse.com/956852
   https://bugzilla.suse.com/957988
   https://bugzilla.suse.com/957990
   https://bugzilla.suse.com/959381
   https://bugzilla.suse.com/960458
   https://bugzilla.suse.com/961512
   https://bugzilla.suse.com/963998
   https://bugzilla.suse.com/965319
   https://bugzilla.suse.com/965860
   https://bugzilla.suse.com/965923
   https://bugzilla.suse.com/967863
   https://bugzilla.suse.com/968010
   https://bugzilla.suse.com/968018
   https://bugzilla.suse.com/968141
   https://bugzilla.suse.com/968566
   https://bugzilla.suse.com/968670
   https://bugzilla.suse.com/968687
   https://bugzilla.suse.com/969356
   https://bugzilla.suse.com/970504
   https://bugzilla.suse.com/970892
   https://bugzilla.suse.com/970909
   https://bugzilla.suse.com/970911
   https://bugzilla.suse.com/970948
   https://bugzilla.suse.com/970956
   https://bugzilla.suse.com/970958
   https://bugzilla.suse.com/970970
   https://bugzilla.suse.com/971124
   https://bugzilla.suse.com/971125
   https://bugzilla.suse.com/971360
   https://bugzilla.suse.com/971433
   https://bugzilla.suse.com/971729
   https://bugzilla.suse.com/972363
   https://bugzilla.suse.com/973237
   https://bugzilla.suse.com/973378
   https://bugzilla.suse.com/973556
   https://bugzilla.suse.com/973570
   https://bugzilla.suse.com/975772
   https://bugzilla.suse.com/975945

-- 
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

[security-announce] SUSE-SU-2016:1707-1: important: Security update for the Linux Kernel

opensuse-security＠opensuse.org