openSUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: openSUSE-SU-2016:2625-1 Rating: important References: #1000287 #1001486 #1003077 #1003925 #1003931 #1004045 #1004418 #1004462 #881008 #909994 #911687 #922634 #951155 #960689 #978094 #980371 #986570 #989152 #991247 #991608 #991665 #993890 #993891 #994296 #994520 #994748 #994752 #994759 #996664 #999600 #999932 Cross-References: CVE-2015-7513 CVE-2015-8956 CVE-2016-0823 CVE-2016-1237 CVE-2016-5195 CVE-2016-5696 CVE-2016-6327 CVE-2016-6480 CVE-2016-6828 CVE-2016-7117 CVE-2016-7425 CVE-2016-8658 Affected Products: openSUSE 13.2 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has 19 fixes is now available. Description: The openSUSE 13.2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2015-8956: The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel allowed local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket (bnc#1003925). - CVE-2016-5195: A local privilege escalation using MAP_PRIVATE was fixed, which is reportedly exploited in the wild (bsc#1004418). - CVE-2016-8658: Stack-based buffer overflow in the brcmf_cfg80211_start_ap function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux kernel allowed local users to cause a denial of service (system crash) or possibly have unspecified other impact via a long SSID Information Element in a command to a Netlink socket (bnc#1004462). - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bnc#1003077). - CVE-2016-0823: The pagemap_open function in fs/proc/task_mmu.c in the Linux kernel before 3.19.3, as used in Android 6.0.1 before 2016-03-01, allowed local users to obtain sensitive physical-address information by reading a pagemap file, aka Android internal bug 25739721 (bnc#994759). - CVE-2016-7425: The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did not restrict a certain length field, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932). - CVE-2016-6327: drivers/infiniband/ulp/srpt/ib_srpt.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) by using an ABORT_TASK command to abort a device write operation (bnc#994748). - CVE-2016-6828: The tcp_check_send_head function in include/net/tcp.h in the Linux kernel did not properly maintain certain SACK state after a failed data copy, which allowed local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option (bnc#994296). - CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel did not properly determine the rate of challenge ACK segments, which made it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack (bnc#989152) - CVE-2016-6480: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a "double fetch" vulnerability (bnc#991608). - CVE-2015-7513: arch/x86/kvm/x86.c in the Linux kernel did not reset the PIT counter values during state restoration, which allowed guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via a zero value, related to the kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions (bnc#960689). - CVE-2016-1237: nfsd in the Linux kernel allowed local users to bypass intended file-permission restrictions by setting a POSIX ACL, related to nfs2acl.c, nfs3acl.c, and nfs4acl.c (bnc#986570). The following non-security bugs were fixed: - AF_VSOCK: Shrink the area influenced by prepare_to_wait (bsc#994520). - xen: Fix refcnt regression in xen netback introduced by changes made for bug#881008 (bnc#978094) - MSI-X: fix an error path (luckily none so far). - usb: fix typo in wMaxPacketSize validation (bsc#991665). - usb: validate wMaxPacketValue entries in endpoint descriptors (bnc#991665). - Update patches.fixes/0002-nfsd-check-permissions-when-setting-ACLs.patch (bsc#986570 CVE#2016-1237). - Update patches.fixes/0001-posix_acl-Add-set_posix_acl.patch (bsc#986570 CVE#2016-1237). - apparmor: fix change_hat not finding hat after policy replacement (bsc#1000287). - arm64: Honor __GFP_ZERO in dma allocations (bsc#1004045). - arm64: __clear_user: handle exceptions on strb (bsc#994752). - arm64: dma-mapping: always clear allocated buffers (bsc#1004045). - arm64: perf: reject groups spanning multiple HW PMUs (bsc#1003931). - blkfront: fix an error path memory leak (luckily none so far). - blktap2: eliminate deadlock potential from shutdown path (bsc#909994). - blktap2: eliminate race from deferred work queue handling (bsc#911687). - btrfs: ensure that file descriptor used with subvol ioctls is a dir (bsc#999600). - cdc-acm: added sanity checking for probe() (bsc#993891). - kaweth: fix firmware download (bsc#993890). - kaweth: fix oops upon failed memory allocation (bsc#993890). - netback: fix flipping mode (bsc#996664). - netback: fix flipping mode (bsc#996664). - netfront: linearize SKBs requiring too many slots (bsc#991247). - nfsd: check permissions when setting ACLs (bsc#986570). - posix_acl: Add set_posix_acl (bsc#986570). - ppp: defer netns reference release for ppp channel (bsc#980371). - tunnels: Do not apply GRO to multiple layers of encapsulation (bsc#1001486). - usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices (bsc#922634). - x86: suppress lazy MMU updates during vmalloc fault processing (bsc#951155). - xen-netback-generalize.patch: Fold back into base patch. - xen3-patch-2.6.31.patch: Fold back into base patch. - xen3-patch-3.12.patch: Fold bac into base patch. - xen3-patch-3.15.patch: Fold back into base patch. - xen3-patch-3.3.patch: Fold back into base patch. - xen3-patch-3.9.patch: Fold bac into base patch. - xen3-patch-3.9.patch: Fold back into base patch. - xenbus: do not bail early from xenbus_dev_request_and_reply() (luckily none so far). - xenbus: inspect the correct type in xenbus_dev_request_and_reply(). Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2016-1227=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i686 x86_64): kernel-debug-3.16.7-45.1 kernel-debug-base-3.16.7-45.1 kernel-debug-base-debuginfo-3.16.7-45.1 kernel-debug-debuginfo-3.16.7-45.1 kernel-debug-debugsource-3.16.7-45.1 kernel-debug-devel-3.16.7-45.1 kernel-debug-devel-debuginfo-3.16.7-45.1 kernel-desktop-3.16.7-45.1 kernel-desktop-base-3.16.7-45.1 kernel-desktop-base-debuginfo-3.16.7-45.1 kernel-desktop-debuginfo-3.16.7-45.1 kernel-desktop-debugsource-3.16.7-45.1 kernel-desktop-devel-3.16.7-45.1 kernel-ec2-base-debuginfo-3.16.7-45.1 kernel-ec2-debuginfo-3.16.7-45.1 kernel-ec2-debugsource-3.16.7-45.1 kernel-vanilla-3.16.7-45.1 kernel-vanilla-debuginfo-3.16.7-45.1 kernel-vanilla-debugsource-3.16.7-45.1 kernel-vanilla-devel-3.16.7-45.1 kernel-xen-3.16.7-45.1 kernel-xen-base-3.16.7-45.1 kernel-xen-base-debuginfo-3.16.7-45.1 kernel-xen-debuginfo-3.16.7-45.1 kernel-xen-debugsource-3.16.7-45.1 kernel-xen-devel-3.16.7-45.1 - openSUSE 13.2 (i586 x86_64): bbswitch-0.8-3.22.1 bbswitch-debugsource-0.8-3.22.1 bbswitch-kmp-default-0.8_k3.16.7_45-3.22.1 bbswitch-kmp-default-debuginfo-0.8_k3.16.7_45-3.22.1 bbswitch-kmp-desktop-0.8_k3.16.7_45-3.22.1 bbswitch-kmp-desktop-debuginfo-0.8_k3.16.7_45-3.22.1 bbswitch-kmp-xen-0.8_k3.16.7_45-3.22.1 bbswitch-kmp-xen-debuginfo-0.8_k3.16.7_45-3.22.1 cloop-2.639-14.22.1 cloop-debuginfo-2.639-14.22.1 cloop-debugsource-2.639-14.22.1 cloop-kmp-default-2.639_k3.16.7_45-14.22.1 cloop-kmp-default-debuginfo-2.639_k3.16.7_45-14.22.1 cloop-kmp-desktop-2.639_k3.16.7_45-14.22.1 cloop-kmp-desktop-debuginfo-2.639_k3.16.7_45-14.22.1 cloop-kmp-xen-2.639_k3.16.7_45-14.22.1 cloop-kmp-xen-debuginfo-2.639_k3.16.7_45-14.22.1 crash-7.0.8-22.1 crash-debuginfo-7.0.8-22.1 crash-debugsource-7.0.8-22.1 crash-devel-7.0.8-22.1 crash-doc-7.0.8-22.1 crash-eppic-7.0.8-22.1 crash-eppic-debuginfo-7.0.8-22.1 crash-gcore-7.0.8-22.1 crash-gcore-debuginfo-7.0.8-22.1 crash-kmp-default-7.0.8_k3.16.7_45-22.1 crash-kmp-default-debuginfo-7.0.8_k3.16.7_45-22.1 crash-kmp-desktop-7.0.8_k3.16.7_45-22.1 crash-kmp-desktop-debuginfo-7.0.8_k3.16.7_45-22.1 crash-kmp-xen-7.0.8_k3.16.7_45-22.1 crash-kmp-xen-debuginfo-7.0.8_k3.16.7_45-22.1 hdjmod-debugsource-1.28-18.23.1 hdjmod-kmp-default-1.28_k3.16.7_45-18.23.1 hdjmod-kmp-default-debuginfo-1.28_k3.16.7_45-18.23.1 hdjmod-kmp-desktop-1.28_k3.16.7_45-18.23.1 hdjmod-kmp-desktop-debuginfo-1.28_k3.16.7_45-18.23.1 hdjmod-kmp-xen-1.28_k3.16.7_45-18.23.1 hdjmod-kmp-xen-debuginfo-1.28_k3.16.7_45-18.23.1 ipset-6.23-22.1 ipset-debuginfo-6.23-22.1 ipset-debugsource-6.23-22.1 ipset-devel-6.23-22.1 ipset-kmp-default-6.23_k3.16.7_45-22.1 ipset-kmp-default-debuginfo-6.23_k3.16.7_45-22.1 ipset-kmp-desktop-6.23_k3.16.7_45-22.1 ipset-kmp-desktop-debuginfo-6.23_k3.16.7_45-22.1 ipset-kmp-xen-6.23_k3.16.7_45-22.1 ipset-kmp-xen-debuginfo-6.23_k3.16.7_45-22.1 kernel-default-3.16.7-45.1 kernel-default-base-3.16.7-45.1 kernel-default-base-debuginfo-3.16.7-45.1 kernel-default-debuginfo-3.16.7-45.1 kernel-default-debugsource-3.16.7-45.1 kernel-default-devel-3.16.7-45.1 kernel-ec2-3.16.7-45.1 kernel-ec2-base-3.16.7-45.1 kernel-ec2-devel-3.16.7-45.1 kernel-obs-build-3.16.7-45.1 kernel-obs-build-debugsource-3.16.7-45.1 kernel-obs-qa-3.16.7-45.1 kernel-obs-qa-xen-3.16.7-45.1 kernel-syms-3.16.7-45.1 libipset3-6.23-22.1 libipset3-debuginfo-6.23-22.1 pcfclock-0.44-260.22.1 pcfclock-debuginfo-0.44-260.22.1 pcfclock-debugsource-0.44-260.22.1 pcfclock-kmp-default-0.44_k3.16.7_45-260.22.1 pcfclock-kmp-default-debuginfo-0.44_k3.16.7_45-260.22.1 pcfclock-kmp-desktop-0.44_k3.16.7_45-260.22.1 pcfclock-kmp-desktop-debuginfo-0.44_k3.16.7_45-260.22.1 python-virtualbox-5.0.28-54.2 python-virtualbox-debuginfo-5.0.28-54.2 vhba-kmp-debugsource-20140629-2.22.1 vhba-kmp-default-20140629_k3.16.7_45-2.22.1 vhba-kmp-default-debuginfo-20140629_k3.16.7_45-2.22.1 vhba-kmp-desktop-20140629_k3.16.7_45-2.22.1 vhba-kmp-desktop-debuginfo-20140629_k3.16.7_45-2.22.1 vhba-kmp-xen-20140629_k3.16.7_45-2.22.1 vhba-kmp-xen-debuginfo-20140629_k3.16.7_45-2.22.1 virtualbox-5.0.28-54.2 virtualbox-debuginfo-5.0.28-54.2 virtualbox-debugsource-5.0.28-54.2 virtualbox-devel-5.0.28-54.2 virtualbox-guest-kmp-default-5.0.28_k3.16.7_45-54.2 virtualbox-guest-kmp-default-debuginfo-5.0.28_k3.16.7_45-54.2 virtualbox-guest-kmp-desktop-5.0.28_k3.16.7_45-54.2 virtualbox-guest-kmp-desktop-debuginfo-5.0.28_k3.16.7_45-54.2 virtualbox-guest-tools-5.0.28-54.2 virtualbox-guest-tools-debuginfo-5.0.28-54.2 virtualbox-guest-x11-5.0.28-54.2 virtualbox-guest-x11-debuginfo-5.0.28-54.2 virtualbox-host-kmp-default-5.0.28_k3.16.7_45-54.2 virtualbox-host-kmp-default-debuginfo-5.0.28_k3.16.7_45-54.2 virtualbox-host-kmp-desktop-5.0.28_k3.16.7_45-54.2 virtualbox-host-kmp-desktop-debuginfo-5.0.28_k3.16.7_45-54.2 virtualbox-qt-5.0.28-54.2 virtualbox-qt-debuginfo-5.0.28-54.2 virtualbox-websrv-5.0.28-54.2 virtualbox-websrv-debuginfo-5.0.28-54.2 xen-debugsource-4.4.4_05-51.2 xen-devel-4.4.4_05-51.2 xen-libs-4.4.4_05-51.2 xen-libs-debuginfo-4.4.4_05-51.2 xen-tools-domU-4.4.4_05-51.2 xen-tools-domU-debuginfo-4.4.4_05-51.2 xtables-addons-2.6-24.1 xtables-addons-debuginfo-2.6-24.1 xtables-addons-debugsource-2.6-24.1 xtables-addons-kmp-default-2.6_k3.16.7_45-24.1 xtables-addons-kmp-default-debuginfo-2.6_k3.16.7_45-24.1 xtables-addons-kmp-desktop-2.6_k3.16.7_45-24.1 xtables-addons-kmp-desktop-debuginfo-2.6_k3.16.7_45-24.1 xtables-addons-kmp-xen-2.6_k3.16.7_45-24.1 xtables-addons-kmp-xen-debuginfo-2.6_k3.16.7_45-24.1 - openSUSE 13.2 (noarch): kernel-devel-3.16.7-45.1 kernel-docs-3.16.7-45.2 kernel-macros-3.16.7-45.1 kernel-source-3.16.7-45.1 kernel-source-vanilla-3.16.7-45.1 virtualbox-guest-desktop-icons-5.0.28-54.2 virtualbox-host-source-5.0.28-54.2 - openSUSE 13.2 (x86_64): xen-4.4.4_05-51.2 xen-doc-html-4.4.4_05-51.2 xen-kmp-default-4.4.4_05_k3.16.7_45-51.2 xen-kmp-default-debuginfo-4.4.4_05_k3.16.7_45-51.2 xen-kmp-desktop-4.4.4_05_k3.16.7_45-51.2 xen-kmp-desktop-debuginfo-4.4.4_05_k3.16.7_45-51.2 xen-libs-32bit-4.4.4_05-51.2 xen-libs-debuginfo-32bit-4.4.4_05-51.2 xen-tools-4.4.4_05-51.2 xen-tools-debuginfo-4.4.4_05-51.2 - openSUSE 13.2 (i686): kernel-pae-3.16.7-45.1 kernel-pae-base-3.16.7-45.1 kernel-pae-base-debuginfo-3.16.7-45.1 kernel-pae-debuginfo-3.16.7-45.1 kernel-pae-debugsource-3.16.7-45.1 kernel-pae-devel-3.16.7-45.1 - openSUSE 13.2 (i586): bbswitch-kmp-pae-0.8_k3.16.7_45-3.22.1 bbswitch-kmp-pae-debuginfo-0.8_k3.16.7_45-3.22.1 cloop-kmp-pae-2.639_k3.16.7_45-14.22.1 cloop-kmp-pae-debuginfo-2.639_k3.16.7_45-14.22.1 crash-kmp-pae-7.0.8_k3.16.7_45-22.1 crash-kmp-pae-debuginfo-7.0.8_k3.16.7_45-22.1 hdjmod-kmp-pae-1.28_k3.16.7_45-18.23.1 hdjmod-kmp-pae-debuginfo-1.28_k3.16.7_45-18.23.1 ipset-kmp-pae-6.23_k3.16.7_45-22.1 ipset-kmp-pae-debuginfo-6.23_k3.16.7_45-22.1 pcfclock-kmp-pae-0.44_k3.16.7_45-260.22.1 pcfclock-kmp-pae-debuginfo-0.44_k3.16.7_45-260.22.1 vhba-kmp-pae-20140629_k3.16.7_45-2.22.1 vhba-kmp-pae-debuginfo-20140629_k3.16.7_45-2.22.1 virtualbox-guest-kmp-pae-5.0.28_k3.16.7_45-54.2 virtualbox-guest-kmp-pae-debuginfo-5.0.28_k3.16.7_45-54.2 virtualbox-host-kmp-pae-5.0.28_k3.16.7_45-54.2 virtualbox-host-kmp-pae-debuginfo-5.0.28_k3.16.7_45-54.2 xtables-addons-kmp-pae-2.6_k3.16.7_45-24.1 xtables-addons-kmp-pae-debuginfo-2.6_k3.16.7_45-24.1 References: https://www.suse.com/security/cve/CVE-2015-7513.html https://www.suse.com/security/cve/CVE-2015-8956.html https://www.suse.com/security/cve/CVE-2016-0823.html https://www.suse.com/security/cve/CVE-2016-1237.html https://www.suse.com/security/cve/CVE-2016-5195.html https://www.suse.com/security/cve/CVE-2016-5696.html https://www.suse.com/security/cve/CVE-2016-6327.html https://www.suse.com/security/cve/CVE-2016-6480.html https://www.suse.com/security/cve/CVE-2016-6828.html https://www.suse.com/security/cve/CVE-2016-7117.html https://www.suse.com/security/cve/CVE-2016-7425.html https://www.suse.com/security/cve/CVE-2016-8658.html https://bugzilla.suse.com/1000287 https://bugzilla.suse.com/1001486 https://bugzilla.suse.com/1003077 https://bugzilla.suse.com/1003925 https://bugzilla.suse.com/1003931 https://bugzilla.suse.com/1004045 https://bugzilla.suse.com/1004418 https://bugzilla.suse.com/1004462 https://bugzilla.suse.com/881008 https://bugzilla.suse.com/909994 https://bugzilla.suse.com/911687 https://bugzilla.suse.com/922634 https://bugzilla.suse.com/951155 https://bugzilla.suse.com/960689 https://bugzilla.suse.com/978094 https://bugzilla.suse.com/980371 https://bugzilla.suse.com/986570 https://bugzilla.suse.com/989152 https://bugzilla.suse.com/991247 https://bugzilla.suse.com/991608 https://bugzilla.suse.com/991665 https://bugzilla.suse.com/993890 https://bugzilla.suse.com/993891 https://bugzilla.suse.com/994296 https://bugzilla.suse.com/994520 https://bugzilla.suse.com/994748 https://bugzilla.suse.com/994752 https://bugzilla.suse.com/994759 https://bugzilla.suse.com/996664 https://bugzilla.suse.com/999600 https://bugzilla.suse.com/999932 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org