Security update for Linux Kernel
SUSE Security Update: Security update for Linux Kernel
The SUSE Linux Enterprise Server 10 SP3 LTSS received a roll up update to
fix several security and non-security issues.
The following security issues have been fixed:
*
CVE-2013-0343: The ipv6_create_tempaddr function in
net/ipv6/addrconf.c in the Linux kernel through 3.8 does not properly
handle problems with the generation of IPv6 temporary addresses, which
allows remote attackers to cause a denial of service (excessive retries
and address-generation outage), and consequently obtain sensitive
information, via ICMPv6 Router Advertisement (RA) messages. (bnc#805226)
*
CVE-2013-2888: Multiple array index errors in drivers/hid/hid-core.c
in the Human Interface Device (HID) subsystem in the Linux kernel through
3.11 allow physically proximate attackers to execute arbitrary code or
cause a denial of service (heap memory corruption) via a crafted device
that provides an invalid Report ID. (bnc#835839)
*
CVE-2013-2893: The Human Interface Device (HID) subsystem in the
Linux kernel through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or
CONFIG_LOGIWHEELS_FF is enabled, allows physically proximate attackers to
cause a denial of service (heap-based out-of-bounds write) via a crafted
device, related to (1) drivers/hid/hid-lgff.c, (2)
drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c. (bnc#835839)
*
CVE-2013-2897: Multiple array index errors in
drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem
in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled,
allow physically proximate attackers to cause a denial of service (heap
memory corruption, or NULL pointer dereference and OOPS) via a crafted
device. (bnc#835839)
*
CVE-2013-4470: The Linux kernel before 3.12, when UDP Fragmentation
Offload (UFO) is enabled, does not properly initialize certain data
structures, which allows local users to cause a denial of service (memory
corruption and system crash) or possibly gain privileges via a crafted
application that uses the UDP_CORK option in a setsockopt system call and
sends both short and long packets, related to the ip_ufo_append_data
function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in
net/ipv6/ip6_output.c. (bnc#847672)
*
CVE-2013-4483: The ipc_rcu_putref function in ipc/util.c in the
Linux kernel before 3.10 does not properly manage a reference count, which
allows local users to cause a denial of service (memory consumption
or system crash) via a crafted application. (bnc#848321)
*
CVE-2013-4588: Multiple stack-based buffer overflows in
net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 2.6.33, when
CONFIG_IP_VS is used, allow local users to gain privileges by leveraging
the CAP_NET_ADMIN capability for (1) a getsockopt system call, related to
the do_ip_vs_get_ctl function, or (2) a setsockopt system call, related to
the do_ip_vs_set_ctl function. (bnc#851095)
*
CVE-2013-6382: Multiple buffer underflows in the XFS implementation
in the Linux kernel through 3.12.1 allow local users to cause a denial of
service (memory corruption) or possibly have unspecified
other impact by leveraging the CAP_SYS_ADMIN capability for a (1)
XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call
with a crafted length value, related to the xfs_attrlist_by_handle
function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle
function in fs/xfs/xfs_ioctl32.c. (bnc#852553)
*
CVE-2013-6383: The aac_compat_ioctl function in
drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not
require the CAP_SYS_RAWIO capability, which allows local users to bypass
intended access restrictions via a crafted ioctl call. (bnc#852558)
*
CVE-2013-7263: The Linux kernel before 3.12.4 updates certain length
values before ensuring that associated data structures have been
initialized, which allows local users to obtain sensitive information from
kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg
system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c,
net/ipv6/raw.c, and net/ipv6/udp.c. (bnc#857643)
*
CVE-2013-7264: The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in
the Linux kernel before 3.12.4 updates a certain length value before
ensuring that an associated data structure has been initialized, which
allows local users to obtain sensitive information from kernel stack
memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.
(bnc#857643)
*
CVE-2013-7265: The pn_recvmsg function in net/phonet/datagram.c in
the Linux kernel before 3.12.4 updates a certain length value before
ensuring that an associated data structure has been initialized, which
allows local users to obtain sensitive information from kernel stack
memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.
(bnc#857643)
*
CVE-2014-1444: The fst_get_iface function in
drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not
properly initialize a certain data structure, which allows local users to
obtain sensitive information from kernel memory by leveraging the
CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call. (bnc#858869)
*
CVE-2014-1445: The wanxl_ioctl function in drivers/net/wan/wanxl.c
in the Linux kernel before 3.11.7 does not properly initialize a certain
data structure, which allows local users to obtain sensitive information
from kernel memory via an ioctl call. (bnc#858870)
*
CVE-2014-1446: The yam_ioctl function in drivers/net/hamradio/yam.c
in the Linux kernel before 3.12.8 does not initialize a certain structure
member, which allows local users to obtain sensitive information from
kernel memory by leveraging the CAP_NET_ADMIN capability for an
SIOCYAMGCFG ioctl call. (bnc#858872)
*
CVE-2014-1737: The raw_cmd_copyin function in drivers/block/floppy.c
in the Linux kernel through 3.14.3 does not properly handle error
conditions during processing of an FDRAWCMD ioctl call, which allows local
users to trigger kfree operations and gain privileges by leveraging write
access to a /dev/fd device. (bnc#875798)
*
CVE-2014-1738: The raw_cmd_copyout function in
drivers/block/floppy.c in the Linux kernel through 3.14.3 does not
properly restrict access to certain pointers during processing of an
FDRAWCMD ioctl call, which allows local users to obtain sensitive
information from kernel heap memory by leveraging write access to a
/dev/fd device. (bnc#875798)
The following bugs have been fixed:
* kernel: sclp console hangs (bnc#830344, LTC#95711, bnc#860304).
* ia64: Change default PSR.ac from "1" to "0" (Fix erratum #237)
(bnc#874108).
* net: Uninline kfree_skb and allow NULL argument (bnc#853501).
* tcp: syncookies: reduce cookie lifetime to 128 seconds (bnc#833968).
* tcp: syncookies: reduce mss table to four values (bnc#833968).
* udp: Fix bogus UFO packet generation (bnc#847672).
* blkdev_max_block: make private to fs/buffer.c (bnc#820338).
* vfs: avoid "attempt to access beyond end of device" warnings
(bnc#820338).
* vfs: fix O_DIRECT read past end of block device (bnc#820338).
* HID: check for NULL field when setting values (bnc#835839).
* HID: provide a helper for validating hid reports (bnc#835839).
* dl2k: Tighten ioctl permissions (bnc#758813).
Security Issues references:
* CVE-2013-0343
* CVE-2013-2888
* CVE-2013-2893
* CVE-2013-2897
* CVE-2013-4470
* CVE-2013-4483
* CVE-2013-4588
* CVE-2013-6382
* CVE-2013-6383
* CVE-2013-7263
* CVE-2013-7264
* CVE-2013-7265
* CVE-2014-1444
* CVE-2014-1445
* CVE-2014-1446
* CVE-2014-1737
* CVE-2014-1738
| Announcement ID: | SUSE-SU-2014:0832-1 |
| Rating: | moderate |
| References: | #758813 #805226 #820338 #830344 #833968 #835839 #847672 #848321 #851095 #852553 #852558 #853501 #857643 #858869 #858870 #858872 #860304 #874108 #875798 |
| Affected Products: |
An update that solves 17 vulnerabilities and has two fixes is now available.
Description:
The SUSE Linux Enterprise Server 10 SP3 LTSS received a roll up update to
fix several security and non-security issues.
The following security issues have been fixed:
*
CVE-2013-0343: The ipv6_create_tempaddr function in
net/ipv6/addrconf.c in the Linux kernel through 3.8 does not properly
handle problems with the generation of IPv6 temporary addresses, which
allows remote attackers to cause a denial of service (excessive retries
and address-generation outage), and consequently obtain sensitive
information, via ICMPv6 Router Advertisement (RA) messages. (bnc#805226)
*
CVE-2013-2888: Multiple array index errors in drivers/hid/hid-core.c
in the Human Interface Device (HID) subsystem in the Linux kernel through
3.11 allow physically proximate attackers to execute arbitrary code or
cause a denial of service (heap memory corruption) via a crafted device
that provides an invalid Report ID. (bnc#835839)
*
CVE-2013-2893: The Human Interface Device (HID) subsystem in the
Linux kernel through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or
CONFIG_LOGIWHEELS_FF is enabled, allows physically proximate attackers to
cause a denial of service (heap-based out-of-bounds write) via a crafted
device, related to (1) drivers/hid/hid-lgff.c, (2)
drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c. (bnc#835839)
*
CVE-2013-2897: Multiple array index errors in
drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem
in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled,
allow physically proximate attackers to cause a denial of service (heap
memory corruption, or NULL pointer dereference and OOPS) via a crafted
device. (bnc#835839)
*
CVE-2013-4470: The Linux kernel before 3.12, when UDP Fragmentation
Offload (UFO) is enabled, does not properly initialize certain data
structures, which allows local users to cause a denial of service (memory
corruption and system crash) or possibly gain privileges via a crafted
application that uses the UDP_CORK option in a setsockopt system call and
sends both short and long packets, related to the ip_ufo_append_data
function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in
net/ipv6/ip6_output.c. (bnc#847672)
*
CVE-2013-4483: The ipc_rcu_putref function in ipc/util.c in the
Linux kernel before 3.10 does not properly manage a reference count, which
allows local users to cause a denial of service (memory consumption
or system crash) via a crafted application. (bnc#848321)
*
CVE-2013-4588: Multiple stack-based buffer overflows in
net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 2.6.33, when
CONFIG_IP_VS is used, allow local users to gain privileges by leveraging
the CAP_NET_ADMIN capability for (1) a getsockopt system call, related to
the do_ip_vs_get_ctl function, or (2) a setsockopt system call, related to
the do_ip_vs_set_ctl function. (bnc#851095)
*
CVE-2013-6382: Multiple buffer underflows in the XFS implementation
in the Linux kernel through 3.12.1 allow local users to cause a denial of
service (memory corruption) or possibly have unspecified
other impact by leveraging the CAP_SYS_ADMIN capability for a (1)
XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call
with a crafted length value, related to the xfs_attrlist_by_handle
function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle
function in fs/xfs/xfs_ioctl32.c. (bnc#852553)
*
CVE-2013-6383: The aac_compat_ioctl function in
drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not
require the CAP_SYS_RAWIO capability, which allows local users to bypass
intended access restrictions via a crafted ioctl call. (bnc#852558)
*
CVE-2013-7263: The Linux kernel before 3.12.4 updates certain length
values before ensuring that associated data structures have been
initialized, which allows local users to obtain sensitive information from
kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg
system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c,
net/ipv6/raw.c, and net/ipv6/udp.c. (bnc#857643)
*
CVE-2013-7264: The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in
the Linux kernel before 3.12.4 updates a certain length value before
ensuring that an associated data structure has been initialized, which
allows local users to obtain sensitive information from kernel stack
memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.
(bnc#857643)
*
CVE-2013-7265: The pn_recvmsg function in net/phonet/datagram.c in
the Linux kernel before 3.12.4 updates a certain length value before
ensuring that an associated data structure has been initialized, which
allows local users to obtain sensitive information from kernel stack
memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.
(bnc#857643)
*
CVE-2014-1444: The fst_get_iface function in
drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not
properly initialize a certain data structure, which allows local users to
obtain sensitive information from kernel memory by leveraging the
CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call. (bnc#858869)
*
CVE-2014-1445: The wanxl_ioctl function in drivers/net/wan/wanxl.c
in the Linux kernel before 3.11.7 does not properly initialize a certain
data structure, which allows local users to obtain sensitive information
from kernel memory via an ioctl call. (bnc#858870)
*
CVE-2014-1446: The yam_ioctl function in drivers/net/hamradio/yam.c
in the Linux kernel before 3.12.8 does not initialize a certain structure
member, which allows local users to obtain sensitive information from
kernel memory by leveraging the CAP_NET_ADMIN capability for an
SIOCYAMGCFG ioctl call. (bnc#858872)
*
CVE-2014-1737: The raw_cmd_copyin function in drivers/block/floppy.c
in the Linux kernel through 3.14.3 does not properly handle error
conditions during processing of an FDRAWCMD ioctl call, which allows local
users to trigger kfree operations and gain privileges by leveraging write
access to a /dev/fd device. (bnc#875798)
*
CVE-2014-1738: The raw_cmd_copyout function in
drivers/block/floppy.c in the Linux kernel through 3.14.3 does not
properly restrict access to certain pointers during processing of an
FDRAWCMD ioctl call, which allows local users to obtain sensitive
information from kernel heap memory by leveraging write access to a
/dev/fd device. (bnc#875798)
The following bugs have been fixed:
* kernel: sclp console hangs (bnc#830344, LTC#95711, bnc#860304).
* ia64: Change default PSR.ac from "1" to "0" (Fix erratum #237)
(bnc#874108).
* net: Uninline kfree_skb and allow NULL argument (bnc#853501).
* tcp: syncookies: reduce cookie lifetime to 128 seconds (bnc#833968).
* tcp: syncookies: reduce mss table to four values (bnc#833968).
* udp: Fix bogus UFO packet generation (bnc#847672).
* blkdev_max_block: make private to fs/buffer.c (bnc#820338).
* vfs: avoid "attempt to access beyond end of device" warnings
(bnc#820338).
* vfs: fix O_DIRECT read past end of block device (bnc#820338).
* HID: check for NULL field when setting values (bnc#835839).
* HID: provide a helper for validating hid reports (bnc#835839).
* dl2k: Tighten ioctl permissions (bnc#758813).
Security Issues references:
* CVE-2013-0343
* CVE-2013-2888
* CVE-2013-2893
* CVE-2013-2897
* CVE-2013-4470
* CVE-2013-4483
* CVE-2013-4588
* CVE-2013-6382
* CVE-2013-6383
* CVE-2013-7263
* CVE-2013-7264
* CVE-2013-7265
* CVE-2014-1444
* CVE-2014-1445
* CVE-2014-1446
* CVE-2014-1737
* CVE-2014-1738
Indications:
Everyone using the Linux Kernel on x86_64 architecture should update.
Special Instructions and Notes:
Please reboot the system after installing this update.
Package List:
- SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64):
- kernel-default-2.6.16.60-0.123.1
- kernel-source-2.6.16.60-0.123.1
- kernel-syms-2.6.16.60-0.123.1
- SUSE Linux Enterprise Server 10 SP3 LTSS (i586 x86_64):
- kernel-debug-2.6.16.60-0.123.1
- kernel-kdump-2.6.16.60-0.123.1
- kernel-smp-2.6.16.60-0.123.1
- kernel-xen-2.6.16.60-0.123.1
- SUSE Linux Enterprise Server 10 SP3 LTSS (i586):
- kernel-bigsmp-2.6.16.60-0.123.1
- kernel-kdumppae-2.6.16.60-0.123.1
- kernel-vmi-2.6.16.60-0.123.1
- kernel-vmipae-2.6.16.60-0.123.1
- kernel-xenpae-2.6.16.60-0.123.1
References:
- http://support.novell.com/security/cve/CVE-2013-0343.html
- http://support.novell.com/security/cve/CVE-2013-2888.html
- http://support.novell.com/security/cve/CVE-2013-2893.html
- http://support.novell.com/security/cve/CVE-2013-2897.html
- http://support.novell.com/security/cve/CVE-2013-4470.html
- http://support.novell.com/security/cve/CVE-2013-4483.html
- http://support.novell.com/security/cve/CVE-2013-4588.html
- http://support.novell.com/security/cve/CVE-2013-6382.html
- http://support.novell.com/security/cve/CVE-2013-6383.html
- http://support.novell.com/security/cve/CVE-2013-7263.html
- http://support.novell.com/security/cve/CVE-2013-7264.html
- http://support.novell.com/security/cve/CVE-2013-7265.html
- http://support.novell.com/security/cve/CVE-2014-1444.html
- http://support.novell.com/security/cve/CVE-2014-1445.html
- http://support.novell.com/security/cve/CVE-2014-1446.html
- http://support.novell.com/security/cve/CVE-2014-1737.html
- http://support.novell.com/security/cve/CVE-2014-1738.html
- https://bugzilla.novell.com/758813
- https://bugzilla.novell.com/805226
- https://bugzilla.novell.com/820338
- https://bugzilla.novell.com/830344
- https://bugzilla.novell.com/833968
- https://bugzilla.novell.com/835839
- https://bugzilla.novell.com/847672
- https://bugzilla.novell.com/848321
- https://bugzilla.novell.com/851095
- https://bugzilla.novell.com/852553
- https://bugzilla.novell.com/852558
- https://bugzilla.novell.com/853501
- https://bugzilla.novell.com/857643
- https://bugzilla.novell.com/858869
- https://bugzilla.novell.com/858870
- https://bugzilla.novell.com/858872
- https://bugzilla.novell.com/860304
- https://bugzilla.novell.com/874108
- https://bugzilla.novell.com/875798
- http://download.suse.com/patch/finder/?keywords=17ddf66eae63aab3af8b2b3bec742669
- http://download.suse.com/patch/finder/?keywords=26314f5d51311e1fdece27b8fcdf804a
- http://download.suse.com/patch/finder/?keywords=9914353b490102922bc3d08bdf30bacc