Jump to content
Compatible Support Forums
Sign in to follow this  
news

[security-announce] openSUSE-SU-2014:0957-1: important: kernel: security and bugfix update

Recommended Posts

openSUSE Security Update: kernel: security and bugfix update

______________________________________________________________________________

 

Announcement ID: openSUSE-SU-2014:0957-1

Rating: important

References: #788080 #867531 #867723 #877257 #880484 #882189

#883518 #883724 #883795 #885422 #885725

Cross-References: CVE-2014-0131 CVE-2014-2309 CVE-2014-3144

CVE-2014-3145 CVE-2014-3917 CVE-2014-4014

CVE-2014-4171 CVE-2014-4508 CVE-2014-4652

CVE-2014-4653 CVE-2014-4654 CVE-2014-4655

CVE-2014-4656 CVE-2014-4667 CVE-2014-4699

 

Affected Products:

openSUSE 12.3

______________________________________________________________________________

 

An update that fixes 15 vulnerabilities is now available.

 

Description:

 

 

The Linux Kernel was updated to fix various bugs and security issues.

 

CVE-2014-4699: The Linux kernel on Intel processors did not properly

restrict use of a non-canonical value for the saved RIP address in the

case of a system call that does not use IRET, which allowed local users to

leverage a race condition and gain privileges, or cause a denial of

service (double fault), via a crafted application that makes ptrace and

fork system calls.

 

CVE-2014-4667: The sctp_association_free function in net/sctp/associola.c

in the Linux kernel did not properly manage a certain backlog value, which

allowed remote attackers to cause a denial of service (socket

outage) via a crafted SCTP packet.

 

CVE-2014-4171: mm/shmem.c in the Linux kernel did not properly implement

the interaction between range notification and hole punching, which

allowed local users to cause a denial of service (i_mutex hold) by using

the mmap system call to access a hole, as demonstrated by interfering with

intended shmem activity by blocking completion of (1) an MADV_REMOVE

madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call.

 

CVE-2014-4508: arch/x86/kernel/entry_32.S in the Linux kernel on 32-bit

x86 platforms, when syscall auditing is enabled and the sep CPU feature

flag is set, allowed local users to cause a denial of service (OOPS and

system crash) via an invalid syscall number, as demonstrated by number

1000.

 

CVE-2014-4656: Multiple integer overflows in sound/core/control.c in the

ALSA control implementation in the Linux kernel allowed local users to

cause a denial of service by leveraging /dev/snd/controlCX access, related

to (1) index values in the snd_ctl_add function and (2) numid values in

the snd_ctl_remove_numid_conflict function.

 

CVE-2014-4655: The snd_ctl_elem_add function in sound/core/control.c in

the ALSA control implementation in the Linux kernel did not properly

maintain the user_ctl_count value, which allowed local users to cause a

denial of service (integer overflow and limit bypass) by leveraging

/dev/snd/controlCX access for a large number of

SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls.

 

CVE-2014-4654: The snd_ctl_elem_add function in sound/core/control.c in

the ALSA control implementation in the Linux kernel did not check

authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allowed

local users to remove kernel controls and cause a denial of service

(use-after-free and system crash) by leveraging /dev/snd/controlCX access

for an ioctl call.

 

CVE-2014-4653: sound/core/control.c in the ALSA control implementation in

the Linux kernel did not ensure possession of a read/write lock, which

allowed local users to cause a denial of service (use-after-free) and

obtain sensitive information from kernel memory by leveraging

/dev/snd/controlCX access.

 

CVE-2014-4652: Race condition in the tlv handler functionality in the

snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control

implementation in the Linux kernel allowed local users to obtain sensitive

information from kernel memory by leveraging /dev/snd/controlCX access.

 

CVE-2014-4014: The capabilities implementation in the Linux kernel did not

properly consider that namespaces are inapplicable to inodes, which

allowed local users to bypass intended chmod restrictions by first

creating a user namespace, as demonstrated by setting the setgid bit on a

file with group ownership of root.

 

CVE-2014-2309: The ip6_route_add function in net/ipv6/route.c in the Linux

kernel did not properly count the addition of routes, which allowed remote

attackers to cause a denial of service (memory consumption) via a flood of

ICMPv6 Router Advertisement packets.

 

CVE-2014-3917: kernel/auditsc.c in the Linux kernel, when

CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allowed local

users to obtain potentially sensitive single-bit values from kernel memory

or cause a denial of service (OOPS) via a large value of a syscall number.

 

CVE-2014-0131: Use-after-free vulnerability in the skb_segment function in

net/core/skbuff.c in the Linux kernel allowed attackers to obtain

sensitive information from kernel memory by leveraging the absence of a

certain orphaning operation.

 

CVE-2014-3144: The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST

extension implementations in the sk_run_filter function in

net/core/filter.c in the Linux kernel did not check whether a certain

length value is sufficiently large, which allowed local users to cause a

denial of service (integer underflow and system crash) via crafted BPF

instructions.

 

CVE-2014-3145: The BPF_S_ANC_NLATTR_NEST extension implementation in the

sk_run_filter function in net/core/filter.c in the Linux kernel used the

reverse order in a certain subtraction, which allowed local users to cause

a denial of service (over-read and system crash) via crafted BPF

instructions. NOTE: the affected code was moved to the

__skb_get_nlattr_nest function before the vulnerability was announced.

 

Additional Bug fixed:

- HID: logitech-dj: Fix USB 3.0 issue (bnc#788080).

 

 

Patch Instructions:

 

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- openSUSE 12.3:

 

zypper in -t patch openSUSE-2014-478

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- openSUSE 12.3 (i586 x86_64):

 

kernel-default-3.7.10-1.40.1

kernel-default-base-3.7.10-1.40.1

kernel-default-base-debuginfo-3.7.10-1.40.1

kernel-default-debuginfo-3.7.10-1.40.1

kernel-default-debugsource-3.7.10-1.40.1

kernel-default-devel-3.7.10-1.40.1

kernel-default-devel-debuginfo-3.7.10-1.40.1

kernel-syms-3.7.10-1.40.1

 

- openSUSE 12.3 (i686 x86_64):

 

kernel-debug-3.7.10-1.40.1

kernel-debug-base-3.7.10-1.40.1

kernel-debug-base-debuginfo-3.7.10-1.40.1

kernel-debug-debuginfo-3.7.10-1.40.1

kernel-debug-debugsource-3.7.10-1.40.1

kernel-debug-devel-3.7.10-1.40.1

kernel-debug-devel-debuginfo-3.7.10-1.40.1

kernel-desktop-3.7.10-1.40.1

kernel-desktop-base-3.7.10-1.40.1

kernel-desktop-base-debuginfo-3.7.10-1.40.1

kernel-desktop-debuginfo-3.7.10-1.40.1

kernel-desktop-debugsource-3.7.10-1.40.1

kernel-desktop-devel-3.7.10-1.40.1

kernel-desktop-devel-debuginfo-3.7.10-1.40.1

kernel-ec2-3.7.10-1.40.1

kernel-ec2-base-3.7.10-1.40.1

kernel-ec2-base-debuginfo-3.7.10-1.40.1

kernel-ec2-debuginfo-3.7.10-1.40.1

kernel-ec2-debugsource-3.7.10-1.40.1

kernel-ec2-devel-3.7.10-1.40.1

kernel-ec2-devel-debuginfo-3.7.10-1.40.1

kernel-trace-3.7.10-1.40.1

kernel-trace-base-3.7.10-1.40.1

kernel-trace-base-debuginfo-3.7.10-1.40.1

kernel-trace-debuginfo-3.7.10-1.40.1

kernel-trace-debugsource-3.7.10-1.40.1

kernel-trace-devel-3.7.10-1.40.1

kernel-trace-devel-debuginfo-3.7.10-1.40.1

kernel-vanilla-3.7.10-1.40.1

kernel-vanilla-debuginfo-3.7.10-1.40.1

kernel-vanilla-debugsource-3.7.10-1.40.1

kernel-vanilla-devel-3.7.10-1.40.1

kernel-vanilla-devel-debuginfo-3.7.10-1.40.1

kernel-xen-3.7.10-1.40.1

kernel-xen-base-3.7.10-1.40.1

kernel-xen-base-debuginfo-3.7.10-1.40.1

kernel-xen-debuginfo-3.7.10-1.40.1

kernel-xen-debugsource-3.7.10-1.40.1

kernel-xen-devel-3.7.10-1.40.1

kernel-xen-devel-debuginfo-3.7.10-1.40.1

 

- openSUSE 12.3 (noarch):

 

kernel-devel-3.7.10-1.40.1

kernel-docs-3.7.10-1.40.2

kernel-source-3.7.10-1.40.1

kernel-source-vanilla-3.7.10-1.40.1

 

- openSUSE 12.3 (i686):

 

kernel-pae-3.7.10-1.40.1

kernel-pae-base-3.7.10-1.40.1

kernel-pae-base-debuginfo-3.7.10-1.40.1

kernel-pae-debuginfo-3.7.10-1.40.1

kernel-pae-debugsource-3.7.10-1.40.1

kernel-pae-devel-3.7.10-1.40.1

kernel-pae-devel-debuginfo-3.7.10-1.40.1

 

 

References:

 

http://support.novell.com/security/cve/CVE-2014-0131.html

http://support.novell.com/security/cve/CVE-2014-2309.html

http://support.novell.com/security/cve/CVE-2014-3144.html

http://support.novell.com/security/cve/CVE-2014-3145.html

http://support.novell.com/security/cve/CVE-2014-3917.html

http://support.novell.com/security/cve/CVE-2014-4014.html

http://support.novell.com/security/cve/CVE-2014-4171.html

http://support.novell.com/security/cve/CVE-2014-4508.html

http://support.novell.com/security/cve/CVE-2014-4652.html

http://support.novell.com/security/cve/CVE-2014-4653.html

http://support.novell.com/security/cve/CVE-2014-4654.html

http://support.novell.com/security/cve/CVE-2014-4655.html

http://support.novell.com/security/cve/CVE-2014-4656.html

http://support.novell.com/security/cve/CVE-2014-4667.html

http://support.novell.com/security/cve/CVE-2014-4699.html

https://bugzilla.novell.com/788080

https://bugzilla.novell.com/867531

https://bugzilla.novell.com/867723

https://bugzilla.novell.com/877257

https://bugzilla.novell.com/880484

https://bugzilla.novell.com/882189

https://bugzilla.novell.com/883518

https://bugzilla.novell.com/883724

https://bugzilla.novell.com/883795

https://bugzilla.novell.com/885422

https://bugzilla.novell.com/885725

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

 

 

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×