[security-announce] SUSE-SU-2016:1985-1: important: Security update for the Linux Kernel

8 Aug 2016

      SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID:    SUSE-SU-2016:1985-1
Rating:             important
References:         #676471 #866130 #909589 #936530 #944309 #950998 
                    #953369 #954847 #956491 #957986 #960857 #961518 
                    #963762 #966245 #967914 #968500 #969149 #969391 
                    #970114 #971030 #971126 #971360 #971446 #971944 
                    #971947 #971989 #973378 #974620 #974646 #974787 
                    #975358 #976739 #976868 #978401 #978821 #978822 
                    #979213 #979274 #979347 #979419 #979548 #979595 
                    #979867 #979879 #979915 #980246 #980371 #980725 
                    #980788 #980931 #981231 #981267 #982532 #982544 
                    #982691 #983143 #983213 #983721 #984107 #984755 
                    #986362 #986572 #988498 
Cross-References:   CVE-2015-7833 CVE-2016-0758 CVE-2016-1583
                    CVE-2016-2053 CVE-2016-2187 CVE-2016-3134
                    CVE-2016-3707 CVE-2016-4470 CVE-2016-4482
                    CVE-2016-4485 CVE-2016-4486 CVE-2016-4565
                    CVE-2016-4569 CVE-2016-4578 CVE-2016-4580
                    CVE-2016-4805 CVE-2016-4913 CVE-2016-4997
                    CVE-2016-5244 CVE-2016-5829
Affected Products:
                    SUSE Linux Enterprise Real Time Extension 11-SP4
                    SUSE Linux Enterprise Debuginfo 11-SP4
______________________________________________________________________________

   An update that solves 20 vulnerabilities and has 43 fixes
   is now available.

Description:

   The SUSE Linux Enterprise 11 SP4 RT kernel was updated to receive various
   security and bugfixes.

   The following security bugs were fixed:
   - CVE-2016-5829: Multiple heap-based buffer overflows in the
     hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux
     kernel allowed local users to cause a denial of service or possibly have
     unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2)
     HIDIOCSUSAGES ioctl call (bnc#986572).
   - CVE-2016-4997: The compat IPT_SO_SET_REPLACE setsockopt implementation
     in the netfilter subsystem in the Linux kernel allowed local users to
     gain privileges or cause a denial of service (memory corruption) by
     leveraging in-container root access to provide a crafted offset value
     that triggers an unintended decrement (bnc#986362).
   - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c
     in the Linux kernel did not ensure that a certain data structure is
     initialized, which allowed local users to cause a denial of service
     (system crash) via vectors involving a crafted keyctl request2 command
     (bnc#984755).
   - CVE-2016-5244: The rds_inc_info_copy function in net/rds/recv.c in the
     Linux kernel did not initialize a certain structure member, which
     allowed remote attackers to obtain sensitive information from kernel
     stack memory by reading an RDS message (bnc#983213).
   - CVE-2016-1583: The ecryptfs_privileged_open function in
     fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain
     privileges or cause a denial of service (stack memory consumption) via
     vectors involving crafted mmap calls for /proc pathnames, leading to
     recursive pagefault handling (bnc#983143).
   - CVE-2016-4913: The get_rock_ridge_filename function in fs/isofs/rock.c
     in the Linux kernel mishandled NM (aka alternate name) entries
     containing \0 characters, which allowed local users to obtain sensitive
     information from kernel memory or possibly have unspecified other impact
     via a crafted isofs filesystem (bnc#980725).
   - CVE-2016-4580: The x25_negotiate_facilities function in
     net/x25/x25_facilities.c in the Linux kernel did not properly initialize
     a certain data structure, which allowed attackers to obtain sensitive
     information from kernel stack memory via an X.25 Call Request
     (bnc#981267).
   - CVE-2016-4805: Use-after-free vulnerability in
     drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to
     cause a denial of service (memory corruption and system crash, or
     spinlock) or possibly have unspecified other impact by removing a
     network namespace, related to the ppp_register_net_channel and
     ppp_unregister_channel functions (bnc#980371).
   - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux
     kernel allowed local users to gain privileges via crafted ASN.1 data
     (bnc#979867).
   - CVE-2015-7833: The usbvision driver in the Linux kernel allowed
     physically proximate attackers to cause a denial of service (panic) via
     a nonzero bInterfaceNumber value in a USB device descriptor (bnc#950998).
   - CVE-2016-3707: The icmp_check_sysrq function in net/ipv4/icmp.c in the
     kernel.org projects/rt patches for the Linux kernel, allowed remote
     attackers to execute SysRq commands via crafted ICMP Echo Request
     packets, as demonstrated by a brute-force attack to discover a cookie,
     or an attack that occurs after reading the local icmp_echo_sysrq file
     (bnc#980246).
   - CVE-2016-2187: The gtco_probe function in drivers/input/tablet/gtco.c in
     the Linux kernel allowed physically proximate attackers to cause a
     denial of service (NULL pointer dereference and system crash) via a
     crafted endpoints value in a USB device descriptor (bnc#971944).
   - CVE-2016-4482: The proc_connectinfo function in drivers/usb/core/devio.c
     in the Linux kernel did not initialize a certain data structure, which
     allowed local users to obtain sensitive information from kernel stack
     memory via a crafted USBDEVFS_CONNECTINFO ioctl call (bnc#978401).
   - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in
     the Linux kernel allowed attackers to cause a denial of service (panic)
     via an ASN.1 BER file that lacks a public key, leading to mishandling by
     the public_key_verify_signature function in
     crypto/asymmetric_keys/public_key.c (bnc#963762).
   - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel
     incorrectly relied on the write system call, which allowed local users
     to cause a denial of service (kernel memory write operation) or possibly
     have unspecified other impact via a uAPI interface (bnc#979548).
   - CVE-2016-4485: The llc_cmsg_rcv function in net/llc/af_llc.c in the
     Linux kernel did not initialize a certain data structure, which allowed
     attackers to obtain sensitive information from kernel stack memory by
     reading a message (bnc#978821).
   - CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize
     certain r1 data structures, which allowed local users to obtain
     sensitive information from kernel stack memory via crafted use of the
     ALSA timer interface, related to the (1) snd_timer_user_ccallback and
     (2) snd_timer_user_tinterrupt functions (bnc#979879).
   - CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c
     in the Linux kernel did not initialize a certain data structure, which
     allowed local users to obtain sensitive information from kernel stack
     memory via crafted use of the ALSA timer interface (bnc#979213).
   - CVE-2016-4486: The rtnl_fill_link_ifmap function in net/core/rtnetlink.c
     in the Linux kernel did not initialize a certain data structure, which
     allowed local users to obtain sensitive information from kernel stack
     memory by reading a Netlink message (bnc#978822).
   - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not
     validate certain offset fields, which allowed local users to gain
     privileges or cause a denial of service (heap memory corruption) via an
     IPT_SO_SET_REPLACE setsockopt call (bnc#971126).

   The following non-security bugs were fixed:
   - ALSA: hrtimer: Handle start/stop more properly (bsc#973378).
   - ALSA: oxygen: add Xonar DGX support (bsc#982691).
   - Assign correct ->can_queue value in hv_storvsc (bnc#969391)
   - Delete
   patches.drivers/nvme-0165-Split-header-file-into-user-visible-and-kernel-.p
     atch. SLE11-SP4 does not have uapi headers so move everything back to
     the original header (bnc#981231)
   - Driver: Vmxnet3: set CHECKSUM_UNNECESSARY for IPv6 packets (bsc#976739).
   - Fix cifs_uniqueid_to_ino_t() function for s390x (bsc#944309)
   - KVM: x86: fix maintenance of guest/host xcr0 state (bsc#961518).
   - MM: increase safety margin provided by PF_LESS_THROTTLE (bsc#956491).
   - NFS: Do not attempt to decode missing directory entries (bsc#980931).
   - NFS: avoid deadlocks with loop-back mounted NFS filesystems (bsc#956491).
   - NFS: avoid waiting at all in nfs_release_page when congested
     (bsc#956491).
   - NFS: fix memory corruption rooted in get_ih_name pointer math
     (bsc#984107).
   - NFS: reduce access cache shrinker locking (bnc#866130).
   - NFSv4: Ensure that we do not drop a state owner more than once
     (bsc#979595).
   - NFSv4: OPEN must handle the NFS4ERR_IO return code correctly
     (bsc#979595).
   - NVMe: Unify controller probe and resume (bsc#979347).
   - RDMA/cxgb4: Configure 0B MRs to match HW implementation (bsc#909589).
   - RDMA/cxgb4: Do not hang threads forever waiting on WR replies
     (bsc#909589).
   - RDMA/cxgb4: Fix locking issue in process_mpa_request (bsc#909589).
   - RDMA/cxgb4: Handle NET_XMIT return codes (bsc#909589).
   - RDMA/cxgb4: Increase epd buff size for debug interface (bsc#909589).
   - RDMA/cxgb4: Limit MRs to less than 8GB for T4/T5 devices (bsc#909589).
   - RDMA/cxgb4: Serialize CQ event upcalls with CQ destruction (bsc#909589).
   - RDMA/cxgb4: Wake up waiters after flushing the qp (bsc#909589).
   - SCSI: Increase REPORT_LUNS timeout (bsc#971989).
   - Update
     patches.drivers/nvme-0265-fix-max_segments-integer-truncation.patch
     (bsc#979419). Fix reference.
   - Update
     patches.fixes/bnx2x-Alloc-4k-fragment-for-each-rx-ring-buffer-elem.patch
     (bsc#953369 bsc#975358).
   - bridge: superfluous skb->nfct check in br_nf_dev_queue_xmit (bsc#982544).
   - cgroups: do not attach task to subsystem if migration failed
     (bnc#979274).
   - cgroups: more safe tasklist locking in cgroup_attach_proc (bnc#979274).
   - cpuset: Fix potential deadlock w/ set_mems_allowed (bsc#960857,
     bsc#974646).
   - dasd: fix hanging system after LCU changes (bnc#968500, LTC#136671).
   - enic: set netdev->vlan_features (bsc#966245).
   - fcoe: fix reset of fip selection time (bsc#974787).
   - hid-elo: kill not flush the work (bnc#982532).
   - ipc,sem: fix use after free on IPC_RMID after a task using same
     semaphore set exits (bsc#967914).
   - ipv4/fib: do not warn when primary address is missing if in_dev is dead
     (bsc#971360).
   - ipv4: fix ineffective source address selection (bsc#980788).
   - ipvs: count pre-established TCP states as active (bsc#970114).
   - iucv: call skb_linearize() when needed (bnc#979915, LTC#141240).
   - kabi: prevent spurious modversion changes after bsc#982544 fix
     (bsc#982544).
   - mm/hugetlb.c: correct missing private flag clearing (VM Functionality,
     bnc#971446).
   - mm/hugetlb: fix backport of upstream commit 07443a85ad (VM
     Functionality, bnc#971446).
   - mm/swap.c: flush lru pvecs on compound page arrival (bnc#983721).
   - mm/vmscan.c: avoid throttling reclaim for loop-back nfsd threads
     (bsc#956491).
   - mm: Fix DIF failures on ext3 filesystems (bsc#971030).
   - net/qlge: Avoids recursive EEH error (bsc#954847).
   - netfilter: bridge: Use __in6_dev_get rather than in6_dev_get in
     br_validate_ipv6 (bsc#982544).
   - netfilter: bridge: do not leak skb in error paths (bsc#982544).
   - netfilter: bridge: forward IPv6 fragmented packets (bsc#982544).
   - nvme: fix max_segments integer truncation (bsc#676471).
   - ocfs2: do not set fs read-only if rec[0] is empty while committing
     truncate (bnc#971947).
   - ocfs2: extend enough credits for freeing one truncate record while
     replaying truncate records (bnc#971947).
   - ocfs2: extend transaction for ocfs2_remove_rightmost_path() and
     ocfs2_update_edge_lengths() before to avoid inconsistency between inode
     and et (bnc#971947).
   - qeth: delete napi struct when removing a qeth device (bnc#979915,
     LTC#143590).
   - rpm/modprobe-xen.conf: Revert comment change to allow parallel install
     (bsc#957986). This reverts commit
     855c7ce885fd412ce2a25ccc12a46e565c83f235.
   - s390/dasd: prevent incorrect length error under z/VM after PAV changes
     (bnc#968500, LTC#136670).
   - s390/mm: fix asce_bits handling with dynamic pagetable levels
     (bnc#979915, LTC#141456).
   - s390/pci: add extra padding to function measurement block (bnc#968500,
     LTC#139445).
   - s390/pci: enforce fmb page boundary rule (bnc#968500, LTC#139445).
   - s390/pci: extract software counters from fmb (bnc#968500, LTC#139445).
   - s390/pci: fix use after free in dma_init (bnc#979915, LTC#141626).
   - s390/pci: remove pdev pointer from arch data (bnc#968500, LTC#139444).
   - s390/pci_dma: fix DMA table corruption with > 4 TB main memory
     (bnc#968500, LTC#139401).
   - s390/pci_dma: handle dma table failures (bnc#968500, LTC#139442).
   - s390/pci_dma: improve debugging of errors during dma map (bnc#968500,
     LTC#139442).
   - s390/pci_dma: unify label of invalid translation table entries
     (bnc#968500, LTC#139442).
   - s390/spinlock: avoid yield to non existent cpu (bnc#968500, LTC#141106).
   - s390: fix test_fp_ctl inline assembly contraints (bnc#979915,
     LTC#143138).
   - sched/cputime: Fix clock_nanosleep()/clock_gettime() inconsistency
     (bnc#988498).
   - sched/cputime: Fix cpu_timer_sample_group() double accounting
     (bnc#988498).
   - sched: Provide update_curr callbacks for stop/idle scheduling classes
     (bnc#988498).
   - veth: do not modify ip_summed (bsc#969149).
   - vgaarb: Add more context to error messages (bsc#976868).
   - virtio_scsi: Implement eh_timed_out callback (bsc#936530).
   - x86, kvm: fix kvm's usage of kernel_fpu_begin/end() (bsc#961518).
   - x86, kvm: use kernel_fpu_begin/end() in kvm_load/put_guest_fpu()
     (bsc#961518).
   - x86/mm/pat, /dev/mem: Remove superfluous error message (bsc#974620).

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Real Time Extension 11-SP4:

      zypper in -t patch slertesp4-linux-kernel-12681=1

   - SUSE Linux Enterprise Debuginfo 11-SP4:

      zypper in -t patch dbgsp4-linux-kernel-12681=1

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Linux Enterprise Real Time Extension 11-SP4 (x86_64):

      kernel-rt-3.0.101.rt130-57.1
      kernel-rt-base-3.0.101.rt130-57.1
      kernel-rt-devel-3.0.101.rt130-57.1
      kernel-rt_trace-3.0.101.rt130-57.1
      kernel-rt_trace-base-3.0.101.rt130-57.1
      kernel-rt_trace-devel-3.0.101.rt130-57.1
      kernel-source-rt-3.0.101.rt130-57.1
      kernel-syms-rt-3.0.101.rt130-57.1

   - SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64):

      kernel-rt-debuginfo-3.0.101.rt130-57.1
      kernel-rt-debugsource-3.0.101.rt130-57.1
      kernel-rt_debug-debuginfo-3.0.101.rt130-57.1
      kernel-rt_debug-debugsource-3.0.101.rt130-57.1
      kernel-rt_trace-debuginfo-3.0.101.rt130-57.1
      kernel-rt_trace-debugsource-3.0.101.rt130-57.1

References:

   https://www.suse.com/security/cve/CVE-2015-7833.html
   https://www.suse.com/security/cve/CVE-2016-0758.html
   https://www.suse.com/security/cve/CVE-2016-1583.html
   https://www.suse.com/security/cve/CVE-2016-2053.html
   https://www.suse.com/security/cve/CVE-2016-2187.html
   https://www.suse.com/security/cve/CVE-2016-3134.html
   https://www.suse.com/security/cve/CVE-2016-3707.html
   https://www.suse.com/security/cve/CVE-2016-4470.html
   https://www.suse.com/security/cve/CVE-2016-4482.html
   https://www.suse.com/security/cve/CVE-2016-4485.html
   https://www.suse.com/security/cve/CVE-2016-4486.html
   https://www.suse.com/security/cve/CVE-2016-4565.html
   https://www.suse.com/security/cve/CVE-2016-4569.html
   https://www.suse.com/security/cve/CVE-2016-4578.html
   https://www.suse.com/security/cve/CVE-2016-4580.html
   https://www.suse.com/security/cve/CVE-2016-4805.html
   https://www.suse.com/security/cve/CVE-2016-4913.html
   https://www.suse.com/security/cve/CVE-2016-4997.html
   https://www.suse.com/security/cve/CVE-2016-5244.html
   https://www.suse.com/security/cve/CVE-2016-5829.html
   https://bugzilla.suse.com/676471
   https://bugzilla.suse.com/866130
   https://bugzilla.suse.com/909589
   https://bugzilla.suse.com/936530
   https://bugzilla.suse.com/944309
   https://bugzilla.suse.com/950998
   https://bugzilla.suse.com/953369
   https://bugzilla.suse.com/954847
   https://bugzilla.suse.com/956491
   https://bugzilla.suse.com/957986
   https://bugzilla.suse.com/960857
   https://bugzilla.suse.com/961518
   https://bugzilla.suse.com/963762
   https://bugzilla.suse.com/966245
   https://bugzilla.suse.com/967914
   https://bugzilla.suse.com/968500
   https://bugzilla.suse.com/969149
   https://bugzilla.suse.com/969391
   https://bugzilla.suse.com/970114
   https://bugzilla.suse.com/971030
   https://bugzilla.suse.com/971126
   https://bugzilla.suse.com/971360
   https://bugzilla.suse.com/971446
   https://bugzilla.suse.com/971944
   https://bugzilla.suse.com/971947
   https://bugzilla.suse.com/971989
   https://bugzilla.suse.com/973378
   https://bugzilla.suse.com/974620
   https://bugzilla.suse.com/974646
   https://bugzilla.suse.com/974787
   https://bugzilla.suse.com/975358
   https://bugzilla.suse.com/976739
   https://bugzilla.suse.com/976868
   https://bugzilla.suse.com/978401
   https://bugzilla.suse.com/978821
   https://bugzilla.suse.com/978822
   https://bugzilla.suse.com/979213
   https://bugzilla.suse.com/979274
   https://bugzilla.suse.com/979347
   https://bugzilla.suse.com/979419
   https://bugzilla.suse.com/979548
   https://bugzilla.suse.com/979595
   https://bugzilla.suse.com/979867
   https://bugzilla.suse.com/979879
   https://bugzilla.suse.com/979915
   https://bugzilla.suse.com/980246
   https://bugzilla.suse.com/980371
   https://bugzilla.suse.com/980725
   https://bugzilla.suse.com/980788
   https://bugzilla.suse.com/980931
   https://bugzilla.suse.com/981231
   https://bugzilla.suse.com/981267
   https://bugzilla.suse.com/982532
   https://bugzilla.suse.com/982544
   https://bugzilla.suse.com/982691
   https://bugzilla.suse.com/983143
   https://bugzilla.suse.com/983213
   https://bugzilla.suse.com/983721
   https://bugzilla.suse.com/984107
   https://bugzilla.suse.com/984755
   https://bugzilla.suse.com/986362
   https://bugzilla.suse.com/986572
   https://bugzilla.suse.com/988498

-- 
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

[security-announce] SUSE-SU-2016:1985-1: important: Security update for the Linux Kernel

opensuse-security＠opensuse.org