openSUSE Security Update: kernel: security and bugfix update
______________________________________________________________________________

Announcement ID: openSUSE-SU-2014:0985-1
Rating: important
References: #768714 #851686 #855657 #866101 #867531 #867723
#879071 #880484 #882189 #883518 #883724 #883795
#884840 #885422 #885725 #886629
Cross-References: CVE-2014-0100 CVE-2014-0131 CVE-2014-2309
CVE-2014-3917 CVE-2014-4014 CVE-2014-4171
CVE-2014-4508 CVE-2014-4652 CVE-2014-4653
CVE-2014-4654 CVE-2014-4655 CVE-2014-4656
CVE-2014-4667 CVE-2014-4699
Affected Products:
openSUSE 13.1
______________________________________________________________________________

An update that solves 14 vulnerabilities and has two fixes
is now available.

Description:

The Linux kernel was updated to fix security issues and bugs:

Security issues fixed: CVE-2014-4699: The Linux kernel on Intel processors
did not properly restrict use of a non-canonical value for the saved RIP
address in the case of a system call that does not use IRET, which allowed
local users to leverage a race condition and gain privileges, or cause a
denial of service (double fault), via a crafted application that makes
ptrace and fork system calls.

CVE-2014-4667: The sctp_association_free function in net/sctp/associola.c
in the Linux kernel did not properly manage a certain backlog value, which
allowed remote attackers to cause a denial of service (socket
outage) via a crafted SCTP packet.

CVE-2014-4171: mm/shmem.c in the Linux kernel did not properly implement
the interaction between range notification and hole punching, which
allowed local users to cause a denial of service (i_mutex hold) by using
the mmap system call to access a hole, as demonstrated by interfering with
intended shmem activity by blocking completion of (1) an MADV_REMOVE
madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call.

CVE-2014-4508: arch/x86/kernel/entry_32.S in the Linux kernel on 32-bit
x86 platforms, when syscall auditing is enabled and the sep CPU feature
flag is set, allowed local users to cause a denial of service (OOPS and
system crash) via an invalid syscall number, as demonstrated by number
1000.

CVE-2014-0100: Race condition in the inet_frag_intern function in
net/ipv4/inet_fragment.c in the Linux kernel allowed remote attackers to
cause a denial of service (use-after-free error) or possibly have
unspecified other impact via a large series of fragmented ICMP Echo
Request packets to a system with a heavy CPU load.

CVE-2014-4656: Multiple integer overflows in sound/core/control.c in the
ALSA control implementation in the Linux kernel allowed local users to
cause a denial of service by leveraging /dev/snd/controlCX access, related
to (1) index values in the snd_ctl_add function and (2) numid values in
the snd_ctl_remove_numid_conflict function.

CVE-2014-4655: The snd_ctl_elem_add function in sound/core/control.c in
the ALSA control implementation in the Linux kernel did not properly
maintain the user_ctl_count value, which allowed local users to cause a
denial of service (integer overflow and limit bypass) by leveraging
/dev/snd/controlCX access for a large number of
SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls.

CVE-2014-4654: The snd_ctl_elem_add function in sound/core/control.c in
the ALSA control implementation in the Linux kernel did not check
authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allowed
local users to remove kernel controls and cause a denial of service
(use-after-free and system crash) by leveraging /dev/snd/controlCX access
for an ioctl call.

CVE-2014-4653: sound/core/control.c in the ALSA control implementation in
the Linux kernel did not ensure possession of a read/write lock, which
allowed local users to cause a denial of service (use-after-free) and
obtain sensitive information from kernel memory by leveraging
/dev/snd/controlCX access.

CVE-2014-4652: Race condition in the tlv handler functionality in the
snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control
implementation in the Linux kernel allowed local users to obtain sensitive
information from kernel memory by leveraging /dev/snd/controlCX access.

CVE-2014-4014: The capabilities implementation in the Linux kernel did not
properly consider that namespaces are inapplicable to inodes, which
allowed local users to bypass intended chmod restrictions by first
creating a user namespace, as demonstrated by setting the setgid bit on a
file with group ownership of root.

CVE-2014-2309: The ip6_route_add function in net/ipv6/route.c in the Linux
kernel did not properly count the addition of routes, which allowed remote
attackers to cause a denial of service (memory consumption) via a flood of
ICMPv6 Router Advertisement packets.

CVE-2014-3917: kernel/auditsc.c in the Linux kernel, when
CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allowed local
users to obtain potentially sensitive single-bit values from kernel memory
or cause a denial of service (OOPS) via a large value of a syscall number.

CVE-2014-0131: Use-after-free vulnerability in the skb_segment function in
net/core/skbuff.c in the Linux kernel allowed attackers to obtain
sensitive information from kernel memory by leveraging the absence of a
certain orphaning operation.

Bugs fixed:
– Don’t trigger congestion wait on dirty-but-not-writeout pages
(bnc#879071).

– via-velocity: fix netif_receive_skb use in irq disabled section
(bnc#851686).

– HID: logitech-dj: Fix USB 3.0 issue (bnc#886629).

– tg3: Change nvram command timeout value to 50ms (bnc#768714 bnc#855657).

– tg3: Override clock, link aware and link idle mode during NVRAM dump
(bnc#768714 bnc#855657).

– tg3: Set the MAC clock to the fastest speed during boot code load
(bnc#768714 bnc#855657).

– ALSA: usb-audio: Fix deadlocks at resuming (bnc#884840).
– ALSA: usb-audio: Save mixer status only once at suspend (bnc#884840).
– ALSA: usb-audio: Resume mixer values properly (bnc#884840).

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– openSUSE 13.1:

zypper in -t patch openSUSE-2014-493

To bring your system up-to-date, use “zypper patch”.

Package List:

– openSUSE 13.1 (i686 x86_64):

kernel-debug-3.11.10-21.1
kernel-debug-base-3.11.10-21.1
kernel-debug-base-debuginfo-3.11.10-21.1
kernel-debug-debuginfo-3.11.10-21.1
kernel-debug-debugsource-3.11.10-21.1
kernel-debug-devel-3.11.10-21.1
kernel-debug-devel-debuginfo-3.11.10-21.1
kernel-desktop-3.11.10-21.1
kernel-desktop-base-3.11.10-21.1
kernel-desktop-base-debuginfo-3.11.10-21.1
kernel-desktop-debuginfo-3.11.10-21.1
kernel-desktop-debugsource-3.11.10-21.1
kernel-desktop-devel-3.11.10-21.1
kernel-desktop-devel-debuginfo-3.11.10-21.1
kernel-ec2-3.11.10-21.1
kernel-ec2-base-3.11.10-21.1
kernel-ec2-base-debuginfo-3.11.10-21.1
kernel-ec2-debuginfo-3.11.10-21.1
kernel-ec2-debugsource-3.11.10-21.1
kernel-ec2-devel-3.11.10-21.1
kernel-ec2-devel-debuginfo-3.11.10-21.1
kernel-trace-3.11.10-21.1
kernel-trace-base-3.11.10-21.1
kernel-trace-base-debuginfo-3.11.10-21.1
kernel-trace-debuginfo-3.11.10-21.1
kernel-trace-debugsource-3.11.10-21.1
kernel-trace-devel-3.11.10-21.1
kernel-trace-devel-debuginfo-3.11.10-21.1
kernel-vanilla-3.11.10-21.1
kernel-vanilla-debuginfo-3.11.10-21.1
kernel-vanilla-debugsource-3.11.10-21.1
kernel-vanilla-devel-3.11.10-21.1
kernel-vanilla-devel-debuginfo-3.11.10-21.1
kernel-xen-3.11.10-21.1
kernel-xen-base-3.11.10-21.1
kernel-xen-base-debuginfo-3.11.10-21.1
kernel-xen-debuginfo-3.11.10-21.1
kernel-xen-debugsource-3.11.10-21.1
kernel-xen-devel-3.11.10-21.1
kernel-xen-devel-debuginfo-3.11.10-21.1

– openSUSE 13.1 (i586 x86_64):

cloop-2.639-11.13.1
cloop-debuginfo-2.639-11.13.1
cloop-debugsource-2.639-11.13.1
cloop-kmp-default-2.639_k3.11.10_21-11.13.1
cloop-kmp-default-debuginfo-2.639_k3.11.10_21-11.13.1
cloop-kmp-desktop-2.639_k3.11.10_21-11.13.1
cloop-kmp-desktop-debuginfo-2.639_k3.11.10_21-11.13.1
cloop-kmp-xen-2.639_k3.11.10_21-11.13.1
cloop-kmp-xen-debuginfo-2.639_k3.11.10_21-11.13.1
crash-7.0.2-2.13.1
crash-debuginfo-7.0.2-2.13.1
crash-debugsource-7.0.2-2.13.1
crash-devel-7.0.2-2.13.1
crash-doc-7.0.2-2.13.1
crash-eppic-7.0.2-2.13.1
crash-eppic-debuginfo-7.0.2-2.13.1
crash-gcore-7.0.2-2.13.1
crash-gcore-debuginfo-7.0.2-2.13.1
crash-kmp-default-7.0.2_k3.11.10_21-2.13.1
crash-kmp-default-debuginfo-7.0.2_k3.11.10_21-2.13.1
crash-kmp-desktop-7.0.2_k3.11.10_21-2.13.1
crash-kmp-desktop-debuginfo-7.0.2_k3.11.10_21-2.13.1
crash-kmp-xen-7.0.2_k3.11.10_21-2.13.1
crash-kmp-xen-debuginfo-7.0.2_k3.11.10_21-2.13.1
hdjmod-debugsource-1.28-16.13.1
hdjmod-kmp-default-1.28_k3.11.10_21-16.13.1
hdjmod-kmp-default-debuginfo-1.28_k3.11.10_21-16.13.1
hdjmod-kmp-desktop-1.28_k3.11.10_21-16.13.1
hdjmod-kmp-desktop-debuginfo-1.28_k3.11.10_21-16.13.1
hdjmod-kmp-xen-1.28_k3.11.10_21-16.13.1
hdjmod-kmp-xen-debuginfo-1.28_k3.11.10_21-16.13.1
ipset-6.21.1-2.17.1
ipset-debuginfo-6.21.1-2.17.1
ipset-debugsource-6.21.1-2.17.1
ipset-devel-6.21.1-2.17.1
ipset-kmp-default-6.21.1_k3.11.10_21-2.17.1
ipset-kmp-default-debuginfo-6.21.1_k3.11.10_21-2.17.1
ipset-kmp-desktop-6.21.1_k3.11.10_21-2.17.1
ipset-kmp-desktop-debuginfo-6.21.1_k3.11.10_21-2.17.1
ipset-kmp-xen-6.21.1_k3.11.10_21-2.17.1
ipset-kmp-xen-debuginfo-6.21.1_k3.11.10_21-2.17.1
iscsitarget-1.4.20.3-13.13.1
iscsitarget-debuginfo-1.4.20.3-13.13.1
iscsitarget-debugsource-1.4.20.3-13.13.1
iscsitarget-kmp-default-1.4.20.3_k3.11.10_21-13.13.1
iscsitarget-kmp-default-debuginfo-1.4.20.3_k3.11.10_21-13.13.1
iscsitarget-kmp-desktop-1.4.20.3_k3.11.10_21-13.13.1
iscsitarget-kmp-desktop-debuginfo-1.4.20.3_k3.11.10_21-13.13.1
iscsitarget-kmp-xen-1.4.20.3_k3.11.10_21-13.13.1
iscsitarget-kmp-xen-debuginfo-1.4.20.3_k3.11.10_21-13.13.1
kernel-default-3.11.10-21.1
kernel-default-base-3.11.10-21.1
kernel-default-base-debuginfo-3.11.10-21.1
kernel-default-debuginfo-3.11.10-21.1
kernel-default-debugsource-3.11.10-21.1
kernel-default-devel-3.11.10-21.1
kernel-default-devel-debuginfo-3.11.10-21.1
kernel-syms-3.11.10-21.1
libipset3-6.21.1-2.17.1
libipset3-debuginfo-6.21.1-2.17.1
ndiswrapper-1.58-13.1
ndiswrapper-debuginfo-1.58-13.1
ndiswrapper-debugsource-1.58-13.1
ndiswrapper-kmp-default-1.58_k3.11.10_21-13.1
ndiswrapper-kmp-default-debuginfo-1.58_k3.11.10_21-13.1
ndiswrapper-kmp-desktop-1.58_k3.11.10_21-13.1
ndiswrapper-kmp-desktop-debuginfo-1.58_k3.11.10_21-13.1
pcfclock-0.44-258.13.1
pcfclock-debuginfo-0.44-258.13.1
pcfclock-debugsource-0.44-258.13.1
pcfclock-kmp-default-0.44_k3.11.10_21-258.13.1
pcfclock-kmp-default-debuginfo-0.44_k3.11.10_21-258.13.1
pcfclock-kmp-desktop-0.44_k3.11.10_21-258.13.1
pcfclock-kmp-desktop-debuginfo-0.44_k3.11.10_21-258.13.1
python-virtualbox-4.2.18-2.18.1
python-virtualbox-debuginfo-4.2.18-2.18.1
vhba-kmp-debugsource-20130607-2.14.1
vhba-kmp-default-20130607_k3.11.10_21-2.14.1
vhba-kmp-default-debuginfo-20130607_k3.11.10_21-2.14.1
vhba-kmp-desktop-20130607_k3.11.10_21-2.14.1
vhba-kmp-desktop-debuginfo-20130607_k3.11.10_21-2.14.1
vhba-kmp-xen-20130607_k3.11.10_21-2.14.1
vhba-kmp-xen-debuginfo-20130607_k3.11.10_21-2.14.1
virtualbox-4.2.18-2.18.1
virtualbox-debuginfo-4.2.18-2.18.1
virtualbox-debugsource-4.2.18-2.18.1
virtualbox-devel-4.2.18-2.18.1
virtualbox-guest-kmp-default-4.2.18_k3.11.10_21-2.18.1
virtualbox-guest-kmp-default-debuginfo-4.2.18_k3.11.10_21-2.18.1
virtualbox-guest-kmp-desktop-4.2.18_k3.11.10_21-2.18.1
virtualbox-guest-kmp-desktop-debuginfo-4.2.18_k3.11.10_21-2.18.1
virtualbox-guest-tools-4.2.18-2.18.1
virtualbox-guest-tools-debuginfo-4.2.18-2.18.1
virtualbox-guest-x11-4.2.18-2.18.1
virtualbox-guest-x11-debuginfo-4.2.18-2.18.1
virtualbox-host-kmp-default-4.2.18_k3.11.10_21-2.18.1
virtualbox-host-kmp-default-debuginfo-4.2.18_k3.11.10_21-2.18.1
virtualbox-host-kmp-desktop-4.2.18_k3.11.10_21-2.18.1
virtualbox-host-kmp-desktop-debuginfo-4.2.18_k3.11.10_21-2.18.1
virtualbox-qt-4.2.18-2.18.1
virtualbox-qt-debuginfo-4.2.18-2.18.1
virtualbox-websrv-4.2.18-2.18.1
virtualbox-websrv-debuginfo-4.2.18-2.18.1
xen-debugsource-4.3.2_01-21.1
xen-devel-4.3.2_01-21.1
xen-kmp-default-4.3.2_01_k3.11.10_21-21.1
xen-kmp-default-debuginfo-4.3.2_01_k3.11.10_21-21.1
xen-kmp-desktop-4.3.2_01_k3.11.10_21-21.1
xen-kmp-desktop-debuginfo-4.3.2_01_k3.11.10_21-21.1
xen-libs-4.3.2_01-21.1
xen-libs-debuginfo-4.3.2_01-21.1
xen-tools-domU-4.3.2_01-21.1
xen-tools-domU-debuginfo-4.3.2_01-21.1
xtables-addons-2.3-2.13.1
xtables-addons-debuginfo-2.3-2.13.1
xtables-addons-debugsource-2.3-2.13.1
xtables-addons-kmp-default-2.3_k3.11.10_21-2.13.1
xtables-addons-kmp-default-debuginfo-2.3_k3.11.10_21-2.13.1
xtables-addons-kmp-desktop-2.3_k3.11.10_21-2.13.1
xtables-addons-kmp-desktop-debuginfo-2.3_k3.11.10_21-2.13.1
xtables-addons-kmp-xen-2.3_k3.11.10_21-2.13.1
xtables-addons-kmp-xen-debuginfo-2.3_k3.11.10_21-2.13.1

– openSUSE 13.1 (noarch):

kernel-devel-3.11.10-21.1
kernel-docs-3.11.10-21.3
kernel-source-3.11.10-21.1
kernel-source-vanilla-3.11.10-21.1

– openSUSE 13.1 (x86_64):

xen-4.3.2_01-21.1
xen-doc-html-4.3.2_01-21.1
xen-libs-32bit-4.3.2_01-21.1
xen-libs-debuginfo-32bit-4.3.2_01-21.1
xen-tools-4.3.2_01-21.1
xen-tools-debuginfo-4.3.2_01-21.1
xen-xend-tools-4.3.2_01-21.1
xen-xend-tools-debuginfo-4.3.2_01-21.1

– openSUSE 13.1 (i686):

kernel-pae-3.11.10-21.1
kernel-pae-base-3.11.10-21.1
kernel-pae-base-debuginfo-3.11.10-21.1
kernel-pae-debuginfo-3.11.10-21.1
kernel-pae-debugsource-3.11.10-21.1
kernel-pae-devel-3.11.10-21.1
kernel-pae-devel-debuginfo-3.11.10-21.1

– openSUSE 13.1 (i586):

cloop-kmp-pae-2.639_k3.11.10_21-11.13.1
cloop-kmp-pae-debuginfo-2.639_k3.11.10_21-11.13.1
crash-kmp-pae-7.0.2_k3.11.10_21-2.13.1
crash-kmp-pae-debuginfo-7.0.2_k3.11.10_21-2.13.1
hdjmod-kmp-pae-1.28_k3.11.10_21-16.13.1
hdjmod-kmp-pae-debuginfo-1.28_k3.11.10_21-16.13.1
ipset-kmp-pae-6.21.1_k3.11.10_21-2.17.1
ipset-kmp-pae-debuginfo-6.21.1_k3.11.10_21-2.17.1
iscsitarget-kmp-pae-1.4.20.3_k3.11.10_21-13.13.1
iscsitarget-kmp-pae-debuginfo-1.4.20.3_k3.11.10_21-13.13.1
ndiswrapper-kmp-pae-1.58_k3.11.10_21-13.1
ndiswrapper-kmp-pae-debuginfo-1.58_k3.11.10_21-13.1
pcfclock-kmp-pae-0.44_k3.11.10_21-258.13.1
pcfclock-kmp-pae-debuginfo-0.44_k3.11.10_21-258.13.1
vhba-kmp-pae-20130607_k3.11.10_21-2.14.1
vhba-kmp-pae-debuginfo-20130607_k3.11.10_21-2.14.1
virtualbox-guest-kmp-pae-4.2.18_k3.11.10_21-2.18.1
virtualbox-guest-kmp-pae-debuginfo-4.2.18_k3.11.10_21-2.18.1
virtualbox-host-kmp-pae-4.2.18_k3.11.10_21-2.18.1
virtualbox-host-kmp-pae-debuginfo-4.2.18_k3.11.10_21-2.18.1
xen-kmp-pae-4.3.2_01_k3.11.10_21-21.1
xen-kmp-pae-debuginfo-4.3.2_01_k3.11.10_21-21.1
xtables-addons-kmp-pae-2.3_k3.11.10_21-2.13.1
xtables-addons-kmp-pae-debuginfo-2.3_k3.11.10_21-2.13.1

References:

http://support.novell.com/security/cve/CVE-2014-0100.html
http://support.novell.com/security/cve/CVE-2014-0131.html
http://support.novell.com/security/cve/CVE-2014-2309.html
http://support.novell.com/security/cve/CVE-2014-3917.html
http://support.novell.com/security/cve/CVE-2014-4014.html
http://support.novell.com/security/cve/CVE-2014-4171.html
http://support.novell.com/security/cve/CVE-2014-4508.html
http://support.novell.com/security/cve/CVE-2014-4652.html
http://support.novell.com/security/cve/CVE-2014-4653.html
http://support.novell.com/security/cve/CVE-2014-4654.html
http://support.novell.com/security/cve/CVE-2014-4655.html
http://support.novell.com/security/cve/CVE-2014-4656.html
http://support.novell.com/security/cve/CVE-2014-4667.html
http://support.novell.com/security/cve/CVE-2014-4699.html
https://bugzilla.novell.com/768714
https://bugzilla.novell.com/851686
https://bugzilla.novell.com/855657
https://bugzilla.novell.com/866101
https://bugzilla.novell.com/867531
https://bugzilla.novell.com/867723
https://bugzilla.novell.com/879071
https://bugzilla.novell.com/880484
https://bugzilla.novell.com/882189
https://bugzilla.novell.com/883518
https://bugzilla.novell.com/883724
https://bugzilla.novell.com/883795
https://bugzilla.novell.com/884840
https://bugzilla.novell.com/885422
https://bugzilla.novell.com/885725
https://bugzilla.novell.com/886629

—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org