Sicherheit: Mehrere Probleme in Linux

Lesezeichen hinzufügen

SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID: SUSE-SU-2016:1985-1
Rating: important
References: #676471 #866130 #909589 #936530 #944309 #950998
#953369 #954847 #956491 #957986 #960857 #961518
#963762 #966245 #967914 #968500 #969149 #969391
#970114 #971030 #971126 #971360 #971446 #971944
#971947 #971989 #973378 #974620 #974646 #974787
#975358 #976739 #976868 #978401 #978821 #978822
#979213 #979274 #979347 #979419 #979548 #979595
#979867 #979879 #979915 #980246 #980371 #980725
#980788 #980931 #981231 #981267 #982532 #982544
#982691 #983143 #983213 #983721 #984107 #984755
#986362 #986572 #988498
Cross-References: CVE-2015-7833 CVE-2016-0758 CVE-2016-1583
CVE-2016-2053 CVE-2016-2187 CVE-2016-3134
CVE-2016-3707 CVE-2016-4470 CVE-2016-4482
CVE-2016-4485 CVE-2016-4486 CVE-2016-4565
CVE-2016-4569 CVE-2016-4578 CVE-2016-4580
CVE-2016-4805 CVE-2016-4913 CVE-2016-4997
CVE-2016-5244 CVE-2016-5829
Affected Products:
SUSE Linux Enterprise Real Time Extension 11-SP4
SUSE Linux Enterprise Debuginfo 11-SP4
______________________________________________________________________________

An update that solves 20 vulnerabilities and has 43 fixes
is now available.

Description:

The SUSE Linux Enterprise 11 SP4 RT kernel was updated to receive various
security and bugfixes.

The following security bugs were fixed:
- CVE-2016-5829: Multiple heap-based buffer overflows in the
hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux
kernel allowed local users to cause a denial of service or possibly have
unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2)
HIDIOCSUSAGES ioctl call (bnc#986572).
- CVE-2016-4997: The compat IPT_SO_SET_REPLACE setsockopt implementation
in the netfilter subsystem in the Linux kernel allowed local users to
gain privileges or cause a denial of service (memory corruption) by
leveraging in-container root access to provide a crafted offset value
that triggers an unintended decrement (bnc#986362).
- CVE-2016-4470: The key_reject_and_link function in security/keys/key.c
in the Linux kernel did not ensure that a certain data structure is
initialized, which allowed local users to cause a denial of service
(system crash) via vectors involving a crafted keyctl request2 command
(bnc#984755).
- CVE-2016-5244: The rds_inc_info_copy function in net/rds/recv.c in the
Linux kernel did not initialize a certain structure member, which
allowed remote attackers to obtain sensitive information from kernel
stack memory by reading an RDS message (bnc#983213).
- CVE-2016-1583: The ecryptfs_privileged_open function in
fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain
privileges or cause a denial of service (stack memory consumption) via
vectors involving crafted mmap calls for /proc pathnames, leading to
recursive pagefault handling (bnc#983143).
- CVE-2016-4913: The get_rock_ridge_filename function in fs/isofs/rock.c
in the Linux kernel mishandled NM (aka alternate name) entries
containing \0 characters, which allowed local users to obtain sensitive
information from kernel memory or possibly have unspecified other impact
via a crafted isofs filesystem (bnc#980725).
- CVE-2016-4580: The x25_negotiate_facilities function in
net/x25/x25_facilities.c in the Linux kernel did not properly initialize
a certain data structure, which allowed attackers to obtain sensitive
information from kernel stack memory via an X.25 Call Request
(bnc#981267).
- CVE-2016-4805: Use-after-free vulnerability in
drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to
cause a denial of service (memory corruption and system crash, or
spinlock) or possibly have unspecified other impact by removing a
network namespace, related to the ppp_register_net_channel and
ppp_unregister_channel functions (bnc#980371).
- CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux
kernel allowed local users to gain privileges via crafted ASN.1 data
(bnc#979867).
- CVE-2015-7833: The usbvision driver in the Linux kernel allowed
physically proximate attackers to cause a denial of service (panic) via
a nonzero bInterfaceNumber value in a USB device descriptor (bnc#950998).
- CVE-2016-3707: The icmp_check_sysrq function in net/ipv4/icmp.c in the
kernel.org projects/rt patches for the Linux kernel, allowed remote
attackers to execute SysRq commands via crafted ICMP Echo Request
packets, as demonstrated by a brute-force attack to discover a cookie,
or an attack that occurs after reading the local icmp_echo_sysrq file
(bnc#980246).
- CVE-2016-2187: The gtco_probe function in drivers/input/tablet/gtco.c in
the Linux kernel allowed physically proximate attackers to cause a
denial of service (NULL pointer dereference and system crash) via a
crafted endpoints value in a USB device descriptor (bnc#971944).
- CVE-2016-4482: The proc_connectinfo function in drivers/usb/core/devio.c
in the Linux kernel did not initialize a certain data structure, which
allowed local users to obtain sensitive information from kernel stack
memory via a crafted USBDEVFS_CONNECTINFO ioctl call (bnc#978401).
- CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in
the Linux kernel allowed attackers to cause a denial of service (panic)
via an ASN.1 BER file that lacks a public key, leading to mishandling by
the public_key_verify_signature function in
crypto/asymmetric_keys/public_key.c (bnc#963762).
- CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel
incorrectly relied on the write system call, which allowed local users
to cause a denial of service (kernel memory write operation) or possibly
have unspecified other impact via a uAPI interface (bnc#979548).
- CVE-2016-4485: The llc_cmsg_rcv function in net/llc/af_llc.c in the
Linux kernel did not initialize a certain data structure, which allowed
attackers to obtain sensitive information from kernel stack memory by
reading a message (bnc#978821).
- CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize
certain r1 data structures, which allowed local users to obtain
sensitive information from kernel stack memory via crafted use of the
ALSA timer interface, related to the (1) snd_timer_user_ccallback and
(2) snd_timer_user_tinterrupt functions (bnc#979879).
- CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c
in the Linux kernel did not initialize a certain data structure, which
allowed local users to obtain sensitive information from kernel stack
memory via crafted use of the ALSA timer interface (bnc#979213).
- CVE-2016-4486: The rtnl_fill_link_ifmap function in net/core/rtnetlink.c
in the Linux kernel did not initialize a certain data structure, which
allowed local users to obtain sensitive information from kernel stack
memory by reading a Netlink message (bnc#978822).
- CVE-2016-3134: The netfilter subsystem in the Linux kernel did not
validate certain offset fields, which allowed local users to gain
privileges or cause a denial of service (heap memory corruption) via an
IPT_SO_SET_REPLACE setsockopt call (bnc#971126).

The following non-security bugs were fixed:
- ALSA: hrtimer: Handle start/stop more properly (bsc#973378).
- ALSA: oxygen: add Xonar DGX support (bsc#982691).
- Assign correct ->can_queue value in hv_storvsc (bnc#969391)
- Delete
patches.drivers/nvme-0165-Split-header-file-into-user-visible-and-kernel-.p
atch. SLE11-SP4 does not have uapi headers so move everything back to
the original header (bnc#981231)
- Driver: Vmxnet3: set CHECKSUM_UNNECESSARY for IPv6 packets (bsc#976739).
- Fix cifs_uniqueid_to_ino_t() function for s390x (bsc#944309)
- KVM: x86: fix maintenance of guest/host xcr0 state (bsc#961518).
- MM: increase safety margin provided by PF_LESS_THROTTLE (bsc#956491).
- NFS: Do not attempt to decode missing directory entries (bsc#980931).
- NFS: avoid deadlocks with loop-back mounted NFS filesystems (bsc#956491).
- NFS: avoid waiting at all in nfs_release_page when congested
(bsc#956491).
- NFS: fix memory corruption rooted in get_ih_name pointer math
(bsc#984107).
- NFS: reduce access cache shrinker locking (bnc#866130).
- NFSv4: Ensure that we do not drop a state owner more than once
(bsc#979595).
- NFSv4: OPEN must handle the NFS4ERR_IO return code correctly
(bsc#979595).
- NVMe: Unify controller probe and resume (bsc#979347).
- RDMA/cxgb4: Configure 0B MRs to match HW implementation (bsc#909589).
- RDMA/cxgb4: Do not hang threads forever waiting on WR replies
(bsc#909589).
- RDMA/cxgb4: Fix locking issue in process_mpa_request (bsc#909589).
- RDMA/cxgb4: Handle NET_XMIT return codes (bsc#909589).
- RDMA/cxgb4: Increase epd buff size for debug interface (bsc#909589).
- RDMA/cxgb4: Limit MRs to less than 8GB for T4/T5 devices (bsc#909589).
- RDMA/cxgb4: Serialize CQ event upcalls with CQ destruction (bsc#909589).
- RDMA/cxgb4: Wake up waiters after flushing the qp (bsc#909589).
- SCSI: Increase REPORT_LUNS timeout (bsc#971989).
- Update
patches.drivers/nvme-0265-fix-max_segments-integer-truncation.patch
(bsc#979419). Fix reference.
- Update
patches.fixes/bnx2x-Alloc-4k-fragment-for-each-rx-ring-buffer-elem.patch
(bsc#953369 bsc#975358).
- bridge: superfluous skb->nfct check in br_nf_dev_queue_xmit
(bsc#982544).
- cgroups: do not attach task to subsystem if migration failed
(bnc#979274).
- cgroups: more safe tasklist locking in cgroup_attach_proc (bnc#979274).
- cpuset: Fix potential deadlock w/ set_mems_allowed (bsc#960857,
bsc#974646).
- dasd: fix hanging system after LCU changes (bnc#968500, LTC#136671).
- enic: set netdev->vlan_features (bsc#966245).
- fcoe: fix reset of fip selection time (bsc#974787).
- hid-elo: kill not flush the work (bnc#982532).
- ipc,sem: fix use after free on IPC_RMID after a task using same
semaphore set exits (bsc#967914).
- ipv4/fib: do not warn when primary address is missing if in_dev is dead
(bsc#971360).
- ipv4: fix ineffective source address selection (bsc#980788).
- ipvs: count pre-established TCP states as active (bsc#970114).
- iucv: call skb_linearize() when needed (bnc#979915, LTC#141240).
- kabi: prevent spurious modversion changes after bsc#982544 fix
(bsc#982544).
- mm/hugetlb.c: correct missing private flag clearing (VM Functionality,
bnc#971446).
- mm/hugetlb: fix backport of upstream commit 07443a85ad (VM
Functionality, bnc#971446).
- mm/swap.c: flush lru pvecs on compound page arrival (bnc#983721).
- mm/vmscan.c: avoid throttling reclaim for loop-back nfsd threads
(bsc#956491).
- mm: Fix DIF failures on ext3 filesystems (bsc#971030).
- net/qlge: Avoids recursive EEH error (bsc#954847).
- netfilter: bridge: Use __in6_dev_get rather than in6_dev_get in
br_validate_ipv6 (bsc#982544).
- netfilter: bridge: do not leak skb in error paths (bsc#982544).
- netfilter: bridge: forward IPv6 fragmented packets (bsc#982544).
- nvme: fix max_segments integer truncation (bsc#676471).
- ocfs2: do not set fs read-only if rec[0] is empty while committing
truncate (bnc#971947).
- ocfs2: extend enough credits for freeing one truncate record while
replaying truncate records (bnc#971947).
- ocfs2: extend transaction for ocfs2_remove_rightmost_path() and
ocfs2_update_edge_lengths() before to avoid inconsistency between inode
and et (bnc#971947).
- qeth: delete napi struct when removing a qeth device (bnc#979915,
LTC#143590).
- rpm/modprobe-xen.conf: Revert comment change to allow parallel install
(bsc#957986). This reverts commit
855c7ce885fd412ce2a25ccc12a46e565c83f235.
- s390/dasd: prevent incorrect length error under z/VM after PAV changes
(bnc#968500, LTC#136670).
- s390/mm: fix asce_bits handling with dynamic pagetable levels
(bnc#979915, LTC#141456).
- s390/pci: add extra padding to function measurement block (bnc#968500,
LTC#139445).
- s390/pci: enforce fmb page boundary rule (bnc#968500, LTC#139445).
- s390/pci: extract software counters from fmb (bnc#968500, LTC#139445).
- s390/pci: fix use after free in dma_init (bnc#979915, LTC#141626).
- s390/pci: remove pdev pointer from arch data (bnc#968500, LTC#139444).
- s390/pci_dma: fix DMA table corruption with > 4 TB main memory
(bnc#968500, LTC#139401).
- s390/pci_dma: handle dma table failures (bnc#968500, LTC#139442).
- s390/pci_dma: improve debugging of errors during dma map (bnc#968500,
LTC#139442).
- s390/pci_dma: unify label of invalid translation table entries
(bnc#968500, LTC#139442).
- s390/spinlock: avoid yield to non existent cpu (bnc#968500, LTC#141106).
- s390: fix test_fp_ctl inline assembly contraints (bnc#979915,
LTC#143138).
- sched/cputime: Fix clock_nanosleep()/clock_gettime() inconsistency
(bnc#988498).
- sched/cputime: Fix cpu_timer_sample_group() double accounting
(bnc#988498).
- sched: Provide update_curr callbacks for stop/idle scheduling classes
(bnc#988498).
- veth: do not modify ip_summed (bsc#969149).
- vgaarb: Add more context to error messages (bsc#976868).
- virtio_scsi: Implement eh_timed_out callback (bsc#936530).
- x86, kvm: fix kvm's usage of kernel_fpu_begin/end() (bsc#961518).
- x86, kvm: use kernel_fpu_begin/end() in kvm_load/put_guest_fpu()
(bsc#961518).
- x86/mm/pat, /dev/mem: Remove superfluous error message (bsc#974620).

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- SUSE Linux Enterprise Real Time Extension 11-SP4:

zypper in -t patch slertesp4-linux-kernel-12681=1

- SUSE Linux Enterprise Debuginfo 11-SP4:

zypper in -t patch dbgsp4-linux-kernel-12681=1

To bring your system up-to-date, use "zypper patch".

Package List:

- SUSE Linux Enterprise Real Time Extension 11-SP4 (x86_64):

kernel-rt-3.0.101.rt130-57.1
kernel-rt-base-3.0.101.rt130-57.1
kernel-rt-devel-3.0.101.rt130-57.1
kernel-rt_trace-3.0.101.rt130-57.1
kernel-rt_trace-base-3.0.101.rt130-57.1
kernel-rt_trace-devel-3.0.101.rt130-57.1
kernel-source-rt-3.0.101.rt130-57.1
kernel-syms-rt-3.0.101.rt130-57.1

- SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64):

kernel-rt-debuginfo-3.0.101.rt130-57.1
kernel-rt-debugsource-3.0.101.rt130-57.1
kernel-rt_debug-debuginfo-3.0.101.rt130-57.1
kernel-rt_debug-debugsource-3.0.101.rt130-57.1
kernel-rt_trace-debuginfo-3.0.101.rt130-57.1
kernel-rt_trace-debugsource-3.0.101.rt130-57.1

References:

https://www.suse.com/security/cve/CVE-2015-7833.html
https://www.suse.com/security/cve/CVE-2016-0758.html
https://www.suse.com/security/cve/CVE-2016-1583.html
https://www.suse.com/security/cve/CVE-2016-2053.html
https://www.suse.com/security/cve/CVE-2016-2187.html
https://www.suse.com/security/cve/CVE-2016-3134.html
https://www.suse.com/security/cve/CVE-2016-3707.html
https://www.suse.com/security/cve/CVE-2016-4470.html
https://www.suse.com/security/cve/CVE-2016-4482.html
https://www.suse.com/security/cve/CVE-2016-4485.html
https://www.suse.com/security/cve/CVE-2016-4486.html
https://www.suse.com/security/cve/CVE-2016-4565.html
https://www.suse.com/security/cve/CVE-2016-4569.html
https://www.suse.com/security/cve/CVE-2016-4578.html
https://www.suse.com/security/cve/CVE-2016-4580.html
https://www.suse.com/security/cve/CVE-2016-4805.html
https://www.suse.com/security/cve/CVE-2016-4913.html
https://www.suse.com/security/cve/CVE-2016-4997.html
https://www.suse.com/security/cve/CVE-2016-5244.html
https://www.suse.com/security/cve/CVE-2016-5829.html
https://bugzilla.suse.com/676471
https://bugzilla.suse.com/866130
https://bugzilla.suse.com/909589
https://bugzilla.suse.com/936530
https://bugzilla.suse.com/944309
https://bugzilla.suse.com/950998
https://bugzilla.suse.com/953369
https://bugzilla.suse.com/954847
https://bugzilla.suse.com/956491
https://bugzilla.suse.com/957986
https://bugzilla.suse.com/960857
https://bugzilla.suse.com/961518
https://bugzilla.suse.com/963762
https://bugzilla.suse.com/966245
https://bugzilla.suse.com/967914
https://bugzilla.suse.com/968500
https://bugzilla.suse.com/969149
https://bugzilla.suse.com/969391
https://bugzilla.suse.com/970114
https://bugzilla.suse.com/971030
https://bugzilla.suse.com/971126
https://bugzilla.suse.com/971360
https://bugzilla.suse.com/971446
https://bugzilla.suse.com/971944
https://bugzilla.suse.com/971947
https://bugzilla.suse.com/971989
https://bugzilla.suse.com/973378
https://bugzilla.suse.com/974620
https://bugzilla.suse.com/974646
https://bugzilla.suse.com/974787
https://bugzilla.suse.com/975358
https://bugzilla.suse.com/976739
https://bugzilla.suse.com/976868
https://bugzilla.suse.com/978401
https://bugzilla.suse.com/978821
https://bugzilla.suse.com/978822
https://bugzilla.suse.com/979213
https://bugzilla.suse.com/979274
https://bugzilla.suse.com/979347
https://bugzilla.suse.com/979419
https://bugzilla.suse.com/979548
https://bugzilla.suse.com/979595
https://bugzilla.suse.com/979867
https://bugzilla.suse.com/979879
https://bugzilla.suse.com/979915
https://bugzilla.suse.com/980246
https://bugzilla.suse.com/980371
https://bugzilla.suse.com/980725
https://bugzilla.suse.com/980788
https://bugzilla.suse.com/980931
https://bugzilla.suse.com/981231
https://bugzilla.suse.com/981267
https://bugzilla.suse.com/982532
https://bugzilla.suse.com/982544
https://bugzilla.suse.com/982691
https://bugzilla.suse.com/983143
https://bugzilla.suse.com/983213
https://bugzilla.suse.com/983721
https://bugzilla.suse.com/984107
https://bugzilla.suse.com/984755
https://bugzilla.suse.com/986362
https://bugzilla.suse.com/986572
https://bugzilla.suse.com/988498

--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org