openSUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID: openSUSE-SU-2016:2625-1
Rating: important
References: #1000287 #1001486 #1003077 #1003925 #1003931
#1004045 #1004418 #1004462 #881008 #909994
#911687 #922634 #951155 #960689 #978094 #980371
#986570 #989152 #991247 #991608 #991665 #993890
#993891 #994296 #994520 #994748 #994752 #994759
#996664 #999600 #999932
Cross-References: CVE-2015-7513 CVE-2015-8956 CVE-2016-0823
CVE-2016-1237 CVE-2016-5195 CVE-2016-5696
CVE-2016-6327 CVE-2016-6480 CVE-2016-6828
CVE-2016-7117 CVE-2016-7425 CVE-2016-8658

Affected Products:
openSUSE 13.2
______________________________________________________________________________

An update that solves 12 vulnerabilities and has 19 fixes
is now available.

Description:

The openSUSE 13.2 kernel was updated to receive various security and
bugfixes.

The following security bugs were fixed:

– CVE-2015-8956: The rfcomm_sock_bind function in
net/bluetooth/rfcomm/sock.c in the Linux kernel allowed local users to
obtain sensitive information or cause a denial of service (NULL pointer
dereference) via vectors involving a bind system call on a Bluetooth
RFCOMM socket (bnc#1003925).
– CVE-2016-5195: A local privilege escalation using MAP_PRIVATE was fixed,
which is reportedly exploited in the wild (bsc#1004418).
– CVE-2016-8658: Stack-based buffer overflow in the
brcmf_cfg80211_start_ap function in
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux
kernel allowed local users to cause a denial of service (system crash)
or possibly have unspecified other impact via a long SSID Information
Element in a command to a Netlink socket (bnc#1004462).
– CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg
function in net/socket.c in the Linux kernel allowed remote attackers to
execute arbitrary code via vectors involving a recvmmsg system call that
is mishandled during error processing (bnc#1003077).
– CVE-2016-0823: The pagemap_open function in fs/proc/task_mmu.c in the
Linux kernel before 3.19.3, as used in Android 6.0.1 before 2016-03-01,
allowed local users to obtain sensitive physical-address information by
reading a pagemap file, aka Android internal bug 25739721 (bnc#994759).
– CVE-2016-7425: The arcmsr_iop_message_xfer function in
drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did not restrict a
certain length field, which allowed local users to gain privileges
or cause a denial of service (heap-based buffer overflow) via an
ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).
– CVE-2016-6327: drivers/infiniband/ulp/srpt/ib_srpt.c in the Linux kernel
allowed local users to cause a denial of service (NULL pointer
dereference and system crash) by using an ABORT_TASK command to abort a
device write operation (bnc#994748).
– CVE-2016-6828: The tcp_check_send_head function in include/net/tcp.h in
the Linux kernel did not properly maintain certain SACK state after a
failed data copy, which allowed local users to cause a denial of service
(tcp_xmit_retransmit_queue use-after-free and system crash) via a
crafted SACK option (bnc#994296).
– CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel did not properly
determine the rate of challenge ACK segments, which made it easier for
man-in-the-middle attackers to hijack TCP sessions via a blind in-window
attack (bnc#989152)
– CVE-2016-6480: Race condition in the ioctl_send_fib function in
drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users
to cause a denial of service (out-of-bounds access or system crash) by
changing a certain size value, aka a “double fetch” vulnerability
(bnc#991608).
– CVE-2015-7513: arch/x86/kvm/x86.c in the Linux kernel did not reset the
PIT counter values during state restoration, which allowed guest OS
users to cause a denial of service (divide-by-zero error and host OS
crash) via a zero value, related to the kvm_vm_ioctl_set_pit and
kvm_vm_ioctl_set_pit2 functions (bnc#960689).
– CVE-2016-1237: nfsd in the Linux kernel allowed local users to bypass
intended file-permission restrictions by setting a POSIX ACL, related to
nfs2acl.c, nfs3acl.c, and nfs4acl.c (bnc#986570).

The following non-security bugs were fixed:

– AF_VSOCK: Shrink the area influenced by prepare_to_wait (bsc#994520).
– xen: Fix refcnt regression in xen netback introduced by changes made for
bug#881008 (bnc#978094)
– MSI-X: fix an error path (luckily none so far).
– usb: fix typo in wMaxPacketSize validation (bsc#991665).
– usb: validate wMaxPacketValue entries in endpoint descriptors
(bnc#991665).
– Update patches.fixes/0002-nfsd-check-permissions-when-setting-ACLs.patch
(bsc#986570 CVE#2016-1237).
– Update patches.fixes/0001-posix_acl-Add-set_posix_acl.patch (bsc#986570
CVE#2016-1237).
– apparmor: fix change_hat not finding hat after policy replacement
(bsc#1000287).
– arm64: Honor __GFP_ZERO in dma allocations (bsc#1004045).
– arm64: __clear_user: handle exceptions on strb (bsc#994752).
– arm64: dma-mapping: always clear allocated buffers (bsc#1004045).
– arm64: perf: reject groups spanning multiple HW PMUs (bsc#1003931).
– blkfront: fix an error path memory leak (luckily none so far).
– blktap2: eliminate deadlock potential from shutdown path (bsc#909994).
– blktap2: eliminate race from deferred work queue handling (bsc#911687).
– btrfs: ensure that file descriptor used with subvol ioctls is a dir
(bsc#999600).
– cdc-acm: added sanity checking for probe() (bsc#993891).
– kaweth: fix firmware download (bsc#993890).
– kaweth: fix oops upon failed memory allocation (bsc#993890).
– netback: fix flipping mode (bsc#996664).
– netback: fix flipping mode (bsc#996664).
– netfront: linearize SKBs requiring too many slots (bsc#991247).
– nfsd: check permissions when setting ACLs (bsc#986570).
– posix_acl: Add set_posix_acl (bsc#986570).
– ppp: defer netns reference release for ppp channel (bsc#980371).
– tunnels: Do not apply GRO to multiple layers of encapsulation
(bsc#1001486).
– usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices
(bsc#922634).
– x86: suppress lazy MMU updates during vmalloc fault processing
(bsc#951155).
– xen-netback-generalize.patch: Fold back into base patch.
– xen3-patch-2.6.31.patch: Fold back into base patch.
– xen3-patch-3.12.patch: Fold bac into base patch.
– xen3-patch-3.15.patch: Fold back into base patch.
– xen3-patch-3.3.patch: Fold back into base patch.
– xen3-patch-3.9.patch: Fold bac into base patch.
– xen3-patch-3.9.patch: Fold back into base patch.
– xenbus: do not bail early from xenbus_dev_request_and_reply() (luckily
none so far).
– xenbus: inspect the correct type in xenbus_dev_request_and_reply().

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– openSUSE 13.2:

zypper in -t patch openSUSE-2016-1227=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– openSUSE 13.2 (i686 x86_64):

kernel-debug-3.16.7-45.1
kernel-debug-base-3.16.7-45.1
kernel-debug-base-debuginfo-3.16.7-45.1
kernel-debug-debuginfo-3.16.7-45.1
kernel-debug-debugsource-3.16.7-45.1
kernel-debug-devel-3.16.7-45.1
kernel-debug-devel-debuginfo-3.16.7-45.1
kernel-desktop-3.16.7-45.1
kernel-desktop-base-3.16.7-45.1
kernel-desktop-base-debuginfo-3.16.7-45.1
kernel-desktop-debuginfo-3.16.7-45.1
kernel-desktop-debugsource-3.16.7-45.1
kernel-desktop-devel-3.16.7-45.1
kernel-ec2-base-debuginfo-3.16.7-45.1
kernel-ec2-debuginfo-3.16.7-45.1
kernel-ec2-debugsource-3.16.7-45.1
kernel-vanilla-3.16.7-45.1
kernel-vanilla-debuginfo-3.16.7-45.1
kernel-vanilla-debugsource-3.16.7-45.1
kernel-vanilla-devel-3.16.7-45.1
kernel-xen-3.16.7-45.1
kernel-xen-base-3.16.7-45.1
kernel-xen-base-debuginfo-3.16.7-45.1
kernel-xen-debuginfo-3.16.7-45.1
kernel-xen-debugsource-3.16.7-45.1
kernel-xen-devel-3.16.7-45.1

– openSUSE 13.2 (i586 x86_64):

bbswitch-0.8-3.22.1
bbswitch-debugsource-0.8-3.22.1
bbswitch-kmp-default-0.8_k3.16.7_45-3.22.1
bbswitch-kmp-default-debuginfo-0.8_k3.16.7_45-3.22.1
bbswitch-kmp-desktop-0.8_k3.16.7_45-3.22.1
bbswitch-kmp-desktop-debuginfo-0.8_k3.16.7_45-3.22.1
bbswitch-kmp-xen-0.8_k3.16.7_45-3.22.1
bbswitch-kmp-xen-debuginfo-0.8_k3.16.7_45-3.22.1
cloop-2.639-14.22.1
cloop-debuginfo-2.639-14.22.1
cloop-debugsource-2.639-14.22.1
cloop-kmp-default-2.639_k3.16.7_45-14.22.1
cloop-kmp-default-debuginfo-2.639_k3.16.7_45-14.22.1
cloop-kmp-desktop-2.639_k3.16.7_45-14.22.1
cloop-kmp-desktop-debuginfo-2.639_k3.16.7_45-14.22.1
cloop-kmp-xen-2.639_k3.16.7_45-14.22.1
cloop-kmp-xen-debuginfo-2.639_k3.16.7_45-14.22.1
crash-7.0.8-22.1
crash-debuginfo-7.0.8-22.1
crash-debugsource-7.0.8-22.1
crash-devel-7.0.8-22.1
crash-doc-7.0.8-22.1
crash-eppic-7.0.8-22.1
crash-eppic-debuginfo-7.0.8-22.1
crash-gcore-7.0.8-22.1
crash-gcore-debuginfo-7.0.8-22.1
crash-kmp-default-7.0.8_k3.16.7_45-22.1
crash-kmp-default-debuginfo-7.0.8_k3.16.7_45-22.1
crash-kmp-desktop-7.0.8_k3.16.7_45-22.1
crash-kmp-desktop-debuginfo-7.0.8_k3.16.7_45-22.1
crash-kmp-xen-7.0.8_k3.16.7_45-22.1
crash-kmp-xen-debuginfo-7.0.8_k3.16.7_45-22.1
hdjmod-debugsource-1.28-18.23.1
hdjmod-kmp-default-1.28_k3.16.7_45-18.23.1
hdjmod-kmp-default-debuginfo-1.28_k3.16.7_45-18.23.1
hdjmod-kmp-desktop-1.28_k3.16.7_45-18.23.1
hdjmod-kmp-desktop-debuginfo-1.28_k3.16.7_45-18.23.1
hdjmod-kmp-xen-1.28_k3.16.7_45-18.23.1
hdjmod-kmp-xen-debuginfo-1.28_k3.16.7_45-18.23.1
ipset-6.23-22.1
ipset-debuginfo-6.23-22.1
ipset-debugsource-6.23-22.1
ipset-devel-6.23-22.1
ipset-kmp-default-6.23_k3.16.7_45-22.1
ipset-kmp-default-debuginfo-6.23_k3.16.7_45-22.1
ipset-kmp-desktop-6.23_k3.16.7_45-22.1
ipset-kmp-desktop-debuginfo-6.23_k3.16.7_45-22.1
ipset-kmp-xen-6.23_k3.16.7_45-22.1
ipset-kmp-xen-debuginfo-6.23_k3.16.7_45-22.1
kernel-default-3.16.7-45.1
kernel-default-base-3.16.7-45.1
kernel-default-base-debuginfo-3.16.7-45.1
kernel-default-debuginfo-3.16.7-45.1
kernel-default-debugsource-3.16.7-45.1
kernel-default-devel-3.16.7-45.1
kernel-ec2-3.16.7-45.1
kernel-ec2-base-3.16.7-45.1
kernel-ec2-devel-3.16.7-45.1
kernel-obs-build-3.16.7-45.1
kernel-obs-build-debugsource-3.16.7-45.1
kernel-obs-qa-3.16.7-45.1
kernel-obs-qa-xen-3.16.7-45.1
kernel-syms-3.16.7-45.1
libipset3-6.23-22.1
libipset3-debuginfo-6.23-22.1
pcfclock-0.44-260.22.1
pcfclock-debuginfo-0.44-260.22.1
pcfclock-debugsource-0.44-260.22.1
pcfclock-kmp-default-0.44_k3.16.7_45-260.22.1
pcfclock-kmp-default-debuginfo-0.44_k3.16.7_45-260.22.1
pcfclock-kmp-desktop-0.44_k3.16.7_45-260.22.1
pcfclock-kmp-desktop-debuginfo-0.44_k3.16.7_45-260.22.1
python-virtualbox-5.0.28-54.2
python-virtualbox-debuginfo-5.0.28-54.2
vhba-kmp-debugsource-20140629-2.22.1
vhba-kmp-default-20140629_k3.16.7_45-2.22.1
vhba-kmp-default-debuginfo-20140629_k3.16.7_45-2.22.1
vhba-kmp-desktop-20140629_k3.16.7_45-2.22.1
vhba-kmp-desktop-debuginfo-20140629_k3.16.7_45-2.22.1
vhba-kmp-xen-20140629_k3.16.7_45-2.22.1
vhba-kmp-xen-debuginfo-20140629_k3.16.7_45-2.22.1
virtualbox-5.0.28-54.2
virtualbox-debuginfo-5.0.28-54.2
virtualbox-debugsource-5.0.28-54.2
virtualbox-devel-5.0.28-54.2
virtualbox-guest-kmp-default-5.0.28_k3.16.7_45-54.2
virtualbox-guest-kmp-default-debuginfo-5.0.28_k3.16.7_45-54.2
virtualbox-guest-kmp-desktop-5.0.28_k3.16.7_45-54.2
virtualbox-guest-kmp-desktop-debuginfo-5.0.28_k3.16.7_45-54.2
virtualbox-guest-tools-5.0.28-54.2
virtualbox-guest-tools-debuginfo-5.0.28-54.2
virtualbox-guest-x11-5.0.28-54.2
virtualbox-guest-x11-debuginfo-5.0.28-54.2
virtualbox-host-kmp-default-5.0.28_k3.16.7_45-54.2
virtualbox-host-kmp-default-debuginfo-5.0.28_k3.16.7_45-54.2
virtualbox-host-kmp-desktop-5.0.28_k3.16.7_45-54.2
virtualbox-host-kmp-desktop-debuginfo-5.0.28_k3.16.7_45-54.2
virtualbox-qt-5.0.28-54.2
virtualbox-qt-debuginfo-5.0.28-54.2
virtualbox-websrv-5.0.28-54.2
virtualbox-websrv-debuginfo-5.0.28-54.2
xen-debugsource-4.4.4_05-51.2
xen-devel-4.4.4_05-51.2
xen-libs-4.4.4_05-51.2
xen-libs-debuginfo-4.4.4_05-51.2
xen-tools-domU-4.4.4_05-51.2
xen-tools-domU-debuginfo-4.4.4_05-51.2
xtables-addons-2.6-24.1
xtables-addons-debuginfo-2.6-24.1
xtables-addons-debugsource-2.6-24.1
xtables-addons-kmp-default-2.6_k3.16.7_45-24.1
xtables-addons-kmp-default-debuginfo-2.6_k3.16.7_45-24.1
xtables-addons-kmp-desktop-2.6_k3.16.7_45-24.1
xtables-addons-kmp-desktop-debuginfo-2.6_k3.16.7_45-24.1
xtables-addons-kmp-xen-2.6_k3.16.7_45-24.1
xtables-addons-kmp-xen-debuginfo-2.6_k3.16.7_45-24.1

– openSUSE 13.2 (noarch):

kernel-devel-3.16.7-45.1
kernel-docs-3.16.7-45.2
kernel-macros-3.16.7-45.1
kernel-source-3.16.7-45.1
kernel-source-vanilla-3.16.7-45.1
virtualbox-guest-desktop-icons-5.0.28-54.2
virtualbox-host-source-5.0.28-54.2

– openSUSE 13.2 (x86_64):

xen-4.4.4_05-51.2
xen-doc-html-4.4.4_05-51.2
xen-kmp-default-4.4.4_05_k3.16.7_45-51.2
xen-kmp-default-debuginfo-4.4.4_05_k3.16.7_45-51.2
xen-kmp-desktop-4.4.4_05_k3.16.7_45-51.2
xen-kmp-desktop-debuginfo-4.4.4_05_k3.16.7_45-51.2
xen-libs-32bit-4.4.4_05-51.2
xen-libs-debuginfo-32bit-4.4.4_05-51.2
xen-tools-4.4.4_05-51.2
xen-tools-debuginfo-4.4.4_05-51.2

– openSUSE 13.2 (i686):

kernel-pae-3.16.7-45.1
kernel-pae-base-3.16.7-45.1
kernel-pae-base-debuginfo-3.16.7-45.1
kernel-pae-debuginfo-3.16.7-45.1
kernel-pae-debugsource-3.16.7-45.1
kernel-pae-devel-3.16.7-45.1

– openSUSE 13.2 (i586):

bbswitch-kmp-pae-0.8_k3.16.7_45-3.22.1
bbswitch-kmp-pae-debuginfo-0.8_k3.16.7_45-3.22.1
cloop-kmp-pae-2.639_k3.16.7_45-14.22.1
cloop-kmp-pae-debuginfo-2.639_k3.16.7_45-14.22.1
crash-kmp-pae-7.0.8_k3.16.7_45-22.1
crash-kmp-pae-debuginfo-7.0.8_k3.16.7_45-22.1
hdjmod-kmp-pae-1.28_k3.16.7_45-18.23.1
hdjmod-kmp-pae-debuginfo-1.28_k3.16.7_45-18.23.1
ipset-kmp-pae-6.23_k3.16.7_45-22.1
ipset-kmp-pae-debuginfo-6.23_k3.16.7_45-22.1
pcfclock-kmp-pae-0.44_k3.16.7_45-260.22.1
pcfclock-kmp-pae-debuginfo-0.44_k3.16.7_45-260.22.1
vhba-kmp-pae-20140629_k3.16.7_45-2.22.1
vhba-kmp-pae-debuginfo-20140629_k3.16.7_45-2.22.1
virtualbox-guest-kmp-pae-5.0.28_k3.16.7_45-54.2
virtualbox-guest-kmp-pae-debuginfo-5.0.28_k3.16.7_45-54.2
virtualbox-host-kmp-pae-5.0.28_k3.16.7_45-54.2
virtualbox-host-kmp-pae-debuginfo-5.0.28_k3.16.7_45-54.2
xtables-addons-kmp-pae-2.6_k3.16.7_45-24.1
xtables-addons-kmp-pae-debuginfo-2.6_k3.16.7_45-24.1

References:

https://www.suse.com/security/cve/CVE-2015-7513.html
https://www.suse.com/security/cve/CVE-2015-8956.html
https://www.suse.com/security/cve/CVE-2016-0823.html
https://www.suse.com/security/cve/CVE-2016-1237.html
https://www.suse.com/security/cve/CVE-2016-5195.html
https://www.suse.com/security/cve/CVE-2016-5696.html
https://www.suse.com/security/cve/CVE-2016-6327.html
https://www.suse.com/security/cve/CVE-2016-6480.html
https://www.suse.com/security/cve/CVE-2016-6828.html
https://www.suse.com/security/cve/CVE-2016-7117.html
https://www.suse.com/security/cve/CVE-2016-7425.html
https://www.suse.com/security/cve/CVE-2016-8658.html
https://bugzilla.suse.com/1000287
https://bugzilla.suse.com/1001486
https://bugzilla.suse.com/1003077
https://bugzilla.suse.com/1003925
https://bugzilla.suse.com/1003931
https://bugzilla.suse.com/1004045
https://bugzilla.suse.com/1004418
https://bugzilla.suse.com/1004462
https://bugzilla.suse.com/881008
https://bugzilla.suse.com/909994
https://bugzilla.suse.com/911687
https://bugzilla.suse.com/922634
https://bugzilla.suse.com/951155
https://bugzilla.suse.com/960689
https://bugzilla.suse.com/978094
https://bugzilla.suse.com/980371
https://bugzilla.suse.com/986570
https://bugzilla.suse.com/989152
https://bugzilla.suse.com/991247
https://bugzilla.suse.com/991608
https://bugzilla.suse.com/991665
https://bugzilla.suse.com/993890
https://bugzilla.suse.com/993891
https://bugzilla.suse.com/994296
https://bugzilla.suse.com/994520
https://bugzilla.suse.com/994748
https://bugzilla.suse.com/994752
https://bugzilla.suse.com/994759
https://bugzilla.suse.com/996664
https://bugzilla.suse.com/999600
https://bugzilla.suse.com/999932

—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org