openSUSE Security Update: kernel: security and bugfix update ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0985-1 Rating: important References: #768714 #851686 #855657 #866101 #867531 #867723 #879071 #880484 #882189 #883518 #883724 #883795 #884840 #885422 #885725 #886629 Cross-References: CVE-2014-0100 CVE-2014-0131 CVE-2014-2309 CVE-2014-3917 CVE-2014-4014 CVE-2014-4171 CVE-2014-4508 CVE-2014-4652 CVE-2014-4653 CVE-2014-4654 CVE-2014-4655 CVE-2014-4656 CVE-2014-4667 CVE-2014-4699 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that solves 14 vulnerabilities and has two fixes is now available. Description: The Linux kernel was updated to fix security issues and bugs: Security issues fixed: CVE-2014-4699: The Linux kernel on Intel processors did not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allowed local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls. CVE-2014-4667: The sctp_association_free function in net/sctp/associola.c in the Linux kernel did not properly manage a certain backlog value, which allowed remote attackers to cause a denial of service (socket outage) via a crafted SCTP packet. CVE-2014-4171: mm/shmem.c in the Linux kernel did not properly implement the interaction between range notification and hole punching, which allowed local users to cause a denial of service (i_mutex hold) by using the mmap system call to access a hole, as demonstrated by interfering with intended shmem activity by blocking completion of (1) an MADV_REMOVE madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call. CVE-2014-4508: arch/x86/kernel/entry_32.S in the Linux kernel on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allowed local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. CVE-2014-0100: Race condition in the inet_frag_intern function in net/ipv4/inet_fragment.c in the Linux kernel allowed remote attackers to cause a denial of service (use-after-free error) or possibly have unspecified other impact via a large series of fragmented ICMP Echo Request packets to a system with a heavy CPU load. CVE-2014-4656: Multiple integer overflows in sound/core/control.c in the ALSA control implementation in the Linux kernel allowed local users to cause a denial of service by leveraging /dev/snd/controlCX access, related to (1) index values in the snd_ctl_add function and (2) numid values in the snd_ctl_remove_numid_conflict function. CVE-2014-4655: The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel did not properly maintain the user_ctl_count value, which allowed local users to cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls. CVE-2014-4654: The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel did not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allowed local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by leveraging /dev/snd/controlCX access for an ioctl call. CVE-2014-4653: sound/core/control.c in the ALSA control implementation in the Linux kernel did not ensure possession of a read/write lock, which allowed local users to cause a denial of service (use-after-free) and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. CVE-2014-4652: Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel allowed local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. CVE-2014-4014: The capabilities implementation in the Linux kernel did not properly consider that namespaces are inapplicable to inodes, which allowed local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root. CVE-2014-2309: The ip6_route_add function in net/ipv6/route.c in the Linux kernel did not properly count the addition of routes, which allowed remote attackers to cause a denial of service (memory consumption) via a flood of ICMPv6 Router Advertisement packets. CVE-2014-3917: kernel/auditsc.c in the Linux kernel, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allowed local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS) via a large value of a syscall number. CVE-2014-0131: Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel allowed attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation. Bugs fixed: - Don't trigger congestion wait on dirty-but-not-writeout pages (bnc#879071). - via-velocity: fix netif_receive_skb use in irq disabled section (bnc#851686). - HID: logitech-dj: Fix USB 3.0 issue (bnc#886629). - tg3: Change nvram command timeout value to 50ms (bnc#768714 bnc#855657). - tg3: Override clock, link aware and link idle mode during NVRAM dump (bnc#768714 bnc#855657). - tg3: Set the MAC clock to the fastest speed during boot code load (bnc#768714 bnc#855657). - ALSA: usb-audio: Fix deadlocks at resuming (bnc#884840). - ALSA: usb-audio: Save mixer status only once at suspend (bnc#884840). - ALSA: usb-audio: Resume mixer values properly (bnc#884840). Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-493 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i686 x86_64): kernel-debug-3.11.10-21.1 kernel-debug-base-3.11.10-21.1 kernel-debug-base-debuginfo-3.11.10-21.1 kernel-debug-debuginfo-3.11.10-21.1 kernel-debug-debugsource-3.11.10-21.1 kernel-debug-devel-3.11.10-21.1 kernel-debug-devel-debuginfo-3.11.10-21.1 kernel-desktop-3.11.10-21.1 kernel-desktop-base-3.11.10-21.1 kernel-desktop-base-debuginfo-3.11.10-21.1 kernel-desktop-debuginfo-3.11.10-21.1 kernel-desktop-debugsource-3.11.10-21.1 kernel-desktop-devel-3.11.10-21.1 kernel-desktop-devel-debuginfo-3.11.10-21.1 kernel-ec2-3.11.10-21.1 kernel-ec2-base-3.11.10-21.1 kernel-ec2-base-debuginfo-3.11.10-21.1 kernel-ec2-debuginfo-3.11.10-21.1 kernel-ec2-debugsource-3.11.10-21.1 kernel-ec2-devel-3.11.10-21.1 kernel-ec2-devel-debuginfo-3.11.10-21.1 kernel-trace-3.11.10-21.1 kernel-trace-base-3.11.10-21.1 kernel-trace-base-debuginfo-3.11.10-21.1 kernel-trace-debuginfo-3.11.10-21.1 kernel-trace-debugsource-3.11.10-21.1 kernel-trace-devel-3.11.10-21.1 kernel-trace-devel-debuginfo-3.11.10-21.1 kernel-vanilla-3.11.10-21.1 kernel-vanilla-debuginfo-3.11.10-21.1 kernel-vanilla-debugsource-3.11.10-21.1 kernel-vanilla-devel-3.11.10-21.1 kernel-vanilla-devel-debuginfo-3.11.10-21.1 kernel-xen-3.11.10-21.1 kernel-xen-base-3.11.10-21.1 kernel-xen-base-debuginfo-3.11.10-21.1 kernel-xen-debuginfo-3.11.10-21.1 kernel-xen-debugsource-3.11.10-21.1 kernel-xen-devel-3.11.10-21.1 kernel-xen-devel-debuginfo-3.11.10-21.1 - openSUSE 13.1 (i586 x86_64): cloop-2.639-11.13.1 cloop-debuginfo-2.639-11.13.1 cloop-debugsource-2.639-11.13.1 cloop-kmp-default-2.639_k3.11.10_21-11.13.1 cloop-kmp-default-debuginfo-2.639_k3.11.10_21-11.13.1 cloop-kmp-desktop-2.639_k3.11.10_21-11.13.1 cloop-kmp-desktop-debuginfo-2.639_k3.11.10_21-11.13.1 cloop-kmp-xen-2.639_k3.11.10_21-11.13.1 cloop-kmp-xen-debuginfo-2.639_k3.11.10_21-11.13.1 crash-7.0.2-2.13.1 crash-debuginfo-7.0.2-2.13.1 crash-debugsource-7.0.2-2.13.1 crash-devel-7.0.2-2.13.1 crash-doc-7.0.2-2.13.1 crash-eppic-7.0.2-2.13.1 crash-eppic-debuginfo-7.0.2-2.13.1 crash-gcore-7.0.2-2.13.1 crash-gcore-debuginfo-7.0.2-2.13.1 crash-kmp-default-7.0.2_k3.11.10_21-2.13.1 crash-kmp-default-debuginfo-7.0.2_k3.11.10_21-2.13.1 crash-kmp-desktop-7.0.2_k3.11.10_21-2.13.1 crash-kmp-desktop-debuginfo-7.0.2_k3.11.10_21-2.13.1 crash-kmp-xen-7.0.2_k3.11.10_21-2.13.1 crash-kmp-xen-debuginfo-7.0.2_k3.11.10_21-2.13.1 hdjmod-debugsource-1.28-16.13.1 hdjmod-kmp-default-1.28_k3.11.10_21-16.13.1 hdjmod-kmp-default-debuginfo-1.28_k3.11.10_21-16.13.1 hdjmod-kmp-desktop-1.28_k3.11.10_21-16.13.1 hdjmod-kmp-desktop-debuginfo-1.28_k3.11.10_21-16.13.1 hdjmod-kmp-xen-1.28_k3.11.10_21-16.13.1 hdjmod-kmp-xen-debuginfo-1.28_k3.11.10_21-16.13.1 ipset-6.21.1-2.17.1 ipset-debuginfo-6.21.1-2.17.1 ipset-debugsource-6.21.1-2.17.1 ipset-devel-6.21.1-2.17.1 ipset-kmp-default-6.21.1_k3.11.10_21-2.17.1 ipset-kmp-default-debuginfo-6.21.1_k3.11.10_21-2.17.1 ipset-kmp-desktop-6.21.1_k3.11.10_21-2.17.1 ipset-kmp-desktop-debuginfo-6.21.1_k3.11.10_21-2.17.1 ipset-kmp-xen-6.21.1_k3.11.10_21-2.17.1 ipset-kmp-xen-debuginfo-6.21.1_k3.11.10_21-2.17.1 iscsitarget-1.4.20.3-13.13.1 iscsitarget-debuginfo-1.4.20.3-13.13.1 iscsitarget-debugsource-1.4.20.3-13.13.1 iscsitarget-kmp-default-1.4.20.3_k3.11.10_21-13.13.1 iscsitarget-kmp-default-debuginfo-1.4.20.3_k3.11.10_21-13.13.1 iscsitarget-kmp-desktop-1.4.20.3_k3.11.10_21-13.13.1 iscsitarget-kmp-desktop-debuginfo-1.4.20.3_k3.11.10_21-13.13.1 iscsitarget-kmp-xen-1.4.20.3_k3.11.10_21-13.13.1 iscsitarget-kmp-xen-debuginfo-1.4.20.3_k3.11.10_21-13.13.1 kernel-default-3.11.10-21.1 kernel-default-base-3.11.10-21.1 kernel-default-base-debuginfo-3.11.10-21.1 kernel-default-debuginfo-3.11.10-21.1 kernel-default-debugsource-3.11.10-21.1 kernel-default-devel-3.11.10-21.1 kernel-default-devel-debuginfo-3.11.10-21.1 kernel-syms-3.11.10-21.1 libipset3-6.21.1-2.17.1 libipset3-debuginfo-6.21.1-2.17.1 ndiswrapper-1.58-13.1 ndiswrapper-debuginfo-1.58-13.1 ndiswrapper-debugsource-1.58-13.1 ndiswrapper-kmp-default-1.58_k3.11.10_21-13.1 ndiswrapper-kmp-default-debuginfo-1.58_k3.11.10_21-13.1 ndiswrapper-kmp-desktop-1.58_k3.11.10_21-13.1 ndiswrapper-kmp-desktop-debuginfo-1.58_k3.11.10_21-13.1 pcfclock-0.44-258.13.1 pcfclock-debuginfo-0.44-258.13.1 pcfclock-debugsource-0.44-258.13.1 pcfclock-kmp-default-0.44_k3.11.10_21-258.13.1 pcfclock-kmp-default-debuginfo-0.44_k3.11.10_21-258.13.1 pcfclock-kmp-desktop-0.44_k3.11.10_21-258.13.1 pcfclock-kmp-desktop-debuginfo-0.44_k3.11.10_21-258.13.1 python-virtualbox-4.2.18-2.18.1 python-virtualbox-debuginfo-4.2.18-2.18.1 vhba-kmp-debugsource-20130607-2.14.1 vhba-kmp-default-20130607_k3.11.10_21-2.14.1 vhba-kmp-default-debuginfo-20130607_k3.11.10_21-2.14.1 vhba-kmp-desktop-20130607_k3.11.10_21-2.14.1 vhba-kmp-desktop-debuginfo-20130607_k3.11.10_21-2.14.1 vhba-kmp-xen-20130607_k3.11.10_21-2.14.1 vhba-kmp-xen-debuginfo-20130607_k3.11.10_21-2.14.1 virtualbox-4.2.18-2.18.1 virtualbox-debuginfo-4.2.18-2.18.1 virtualbox-debugsource-4.2.18-2.18.1 virtualbox-devel-4.2.18-2.18.1 virtualbox-guest-kmp-default-4.2.18_k3.11.10_21-2.18.1 virtualbox-guest-kmp-default-debuginfo-4.2.18_k3.11.10_21-2.18.1 virtualbox-guest-kmp-desktop-4.2.18_k3.11.10_21-2.18.1 virtualbox-guest-kmp-desktop-debuginfo-4.2.18_k3.11.10_21-2.18.1 virtualbox-guest-tools-4.2.18-2.18.1 virtualbox-guest-tools-debuginfo-4.2.18-2.18.1 virtualbox-guest-x11-4.2.18-2.18.1 virtualbox-guest-x11-debuginfo-4.2.18-2.18.1 virtualbox-host-kmp-default-4.2.18_k3.11.10_21-2.18.1 virtualbox-host-kmp-default-debuginfo-4.2.18_k3.11.10_21-2.18.1 virtualbox-host-kmp-desktop-4.2.18_k3.11.10_21-2.18.1 virtualbox-host-kmp-desktop-debuginfo-4.2.18_k3.11.10_21-2.18.1 virtualbox-qt-4.2.18-2.18.1 virtualbox-qt-debuginfo-4.2.18-2.18.1 virtualbox-websrv-4.2.18-2.18.1 virtualbox-websrv-debuginfo-4.2.18-2.18.1 xen-debugsource-4.3.2_01-21.1 xen-devel-4.3.2_01-21.1 xen-kmp-default-4.3.2_01_k3.11.10_21-21.1 xen-kmp-default-debuginfo-4.3.2_01_k3.11.10_21-21.1 xen-kmp-desktop-4.3.2_01_k3.11.10_21-21.1 xen-kmp-desktop-debuginfo-4.3.2_01_k3.11.10_21-21.1 xen-libs-4.3.2_01-21.1 xen-libs-debuginfo-4.3.2_01-21.1 xen-tools-domU-4.3.2_01-21.1 xen-tools-domU-debuginfo-4.3.2_01-21.1 xtables-addons-2.3-2.13.1 xtables-addons-debuginfo-2.3-2.13.1 xtables-addons-debugsource-2.3-2.13.1 xtables-addons-kmp-default-2.3_k3.11.10_21-2.13.1 xtables-addons-kmp-default-debuginfo-2.3_k3.11.10_21-2.13.1 xtables-addons-kmp-desktop-2.3_k3.11.10_21-2.13.1 xtables-addons-kmp-desktop-debuginfo-2.3_k3.11.10_21-2.13.1 xtables-addons-kmp-xen-2.3_k3.11.10_21-2.13.1 xtables-addons-kmp-xen-debuginfo-2.3_k3.11.10_21-2.13.1 - openSUSE 13.1 (noarch): kernel-devel-3.11.10-21.1 kernel-docs-3.11.10-21.3 kernel-source-3.11.10-21.1 kernel-source-vanilla-3.11.10-21.1 - openSUSE 13.1 (x86_64): xen-4.3.2_01-21.1 xen-doc-html-4.3.2_01-21.1 xen-libs-32bit-4.3.2_01-21.1 xen-libs-debuginfo-32bit-4.3.2_01-21.1 xen-tools-4.3.2_01-21.1 xen-tools-debuginfo-4.3.2_01-21.1 xen-xend-tools-4.3.2_01-21.1 xen-xend-tools-debuginfo-4.3.2_01-21.1 - openSUSE 13.1 (i686): kernel-pae-3.11.10-21.1 kernel-pae-base-3.11.10-21.1 kernel-pae-base-debuginfo-3.11.10-21.1 kernel-pae-debuginfo-3.11.10-21.1 kernel-pae-debugsource-3.11.10-21.1 kernel-pae-devel-3.11.10-21.1 kernel-pae-devel-debuginfo-3.11.10-21.1 - openSUSE 13.1 (i586): cloop-kmp-pae-2.639_k3.11.10_21-11.13.1 cloop-kmp-pae-debuginfo-2.639_k3.11.10_21-11.13.1 crash-kmp-pae-7.0.2_k3.11.10_21-2.13.1 crash-kmp-pae-debuginfo-7.0.2_k3.11.10_21-2.13.1 hdjmod-kmp-pae-1.28_k3.11.10_21-16.13.1 hdjmod-kmp-pae-debuginfo-1.28_k3.11.10_21-16.13.1 ipset-kmp-pae-6.21.1_k3.11.10_21-2.17.1 ipset-kmp-pae-debuginfo-6.21.1_k3.11.10_21-2.17.1 iscsitarget-kmp-pae-1.4.20.3_k3.11.10_21-13.13.1 iscsitarget-kmp-pae-debuginfo-1.4.20.3_k3.11.10_21-13.13.1 ndiswrapper-kmp-pae-1.58_k3.11.10_21-13.1 ndiswrapper-kmp-pae-debuginfo-1.58_k3.11.10_21-13.1 pcfclock-kmp-pae-0.44_k3.11.10_21-258.13.1 pcfclock-kmp-pae-debuginfo-0.44_k3.11.10_21-258.13.1 vhba-kmp-pae-20130607_k3.11.10_21-2.14.1 vhba-kmp-pae-debuginfo-20130607_k3.11.10_21-2.14.1 virtualbox-guest-kmp-pae-4.2.18_k3.11.10_21-2.18.1 virtualbox-guest-kmp-pae-debuginfo-4.2.18_k3.11.10_21-2.18.1 virtualbox-host-kmp-pae-4.2.18_k3.11.10_21-2.18.1 virtualbox-host-kmp-pae-debuginfo-4.2.18_k3.11.10_21-2.18.1 xen-kmp-pae-4.3.2_01_k3.11.10_21-21.1 xen-kmp-pae-debuginfo-4.3.2_01_k3.11.10_21-21.1 xtables-addons-kmp-pae-2.3_k3.11.10_21-2.13.1 xtables-addons-kmp-pae-debuginfo-2.3_k3.11.10_21-2.13.1 References: http://support.novell.com/security/cve/CVE-2014-0100.html http://support.novell.com/security/cve/CVE-2014-0131.html http://support.novell.com/security/cve/CVE-2014-2309.html http://support.novell.com/security/cve/CVE-2014-3917.html http://support.novell.com/security/cve/CVE-2014-4014.html http://support.novell.com/security/cve/CVE-2014-4171.html http://support.novell.com/security/cve/CVE-2014-4508.html http://support.novell.com/security/cve/CVE-2014-4652.html http://support.novell.com/security/cve/CVE-2014-4653.html http://support.novell.com/security/cve/CVE-2014-4654.html http://support.novell.com/security/cve/CVE-2014-4655.html http://support.novell.com/security/cve/CVE-2014-4656.html http://support.novell.com/security/cve/CVE-2014-4667.html http://support.novell.com/security/cve/CVE-2014-4699.html https://bugzilla.novell.com/768714 https://bugzilla.novell.com/851686 https://bugzilla.novell.com/855657 https://bugzilla.novell.com/866101 https://bugzilla.novell.com/867531 https://bugzilla.novell.com/867723 https://bugzilla.novell.com/879071 https://bugzilla.novell.com/880484 https://bugzilla.novell.com/882189 https://bugzilla.novell.com/883518 https://bugzilla.novell.com/883724 https://bugzilla.novell.com/883795 https://bugzilla.novell.com/884840 https://bugzilla.novell.com/885422 https://bugzilla.novell.com/885725 https://bugzilla.novell.com/886629