kernel: security and bugfix update (important)

The Linux Kernel was updated to fix various bugs and security issues.

CVE-2014-4699: The Linux kernel on Intel processors did not properly
restrict use of a non-canonical value for the saved RIP address in the
case of a system call that does not use IRET, which allowed local users to
leverage a race condition and gain privileges, or cause a denial of
service (double fault), via a crafted application that makes ptrace and
fork system calls.

CVE-2014-4667: The sctp_association_free function in net/sctp/associola.c
in the Linux kernel did not properly manage a certain backlog value, which
allowed remote attackers to cause a denial of service (socket
outage) via a crafted SCTP packet.

CVE-2014-4171: mm/shmem.c in the Linux kernel did not properly implement
the interaction between range notification and hole punching, which
allowed local users to cause a denial of service (i_mutex hold) by using
the mmap system call to access a hole, as demonstrated by interfering with
intended shmem activity by blocking completion of (1) an MADV_REMOVE
madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call.

CVE-2014-4508: arch/x86/kernel/entry_32.S in the Linux kernel on 32-bit
x86 platforms, when syscall auditing is enabled and the sep CPU feature
flag is set, allowed local users to cause a denial of service (OOPS and
system crash) via an invalid syscall number, as demonstrated by number
1000.

CVE-2014-4656: Multiple integer overflows in sound/core/control.c in the
ALSA control implementation in the Linux kernel allowed local users to
cause a denial of service by leveraging /dev/snd/controlCX access, related
to (1) index values in the snd_ctl_add function and (2) numid values in
the snd_ctl_remove_numid_conflict function.

CVE-2014-4655: The snd_ctl_elem_add function in sound/core/control.c in
the ALSA control implementation in the Linux kernel did not properly
maintain the user_ctl_count value, which allowed local users to cause a
denial of service (integer overflow and limit bypass) by leveraging
/dev/snd/controlCX access for a large number of
SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls.

CVE-2014-4654: The snd_ctl_elem_add function in sound/core/control.c in
the ALSA control implementation in the Linux kernel did not check
authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allowed
local users to remove kernel controls and cause a denial of service
(use-after-free and system crash) by leveraging /dev/snd/controlCX access
for an ioctl call.

CVE-2014-4653: sound/core/control.c in the ALSA control implementation in
the Linux kernel did not ensure possession of a read/write lock, which
allowed local users to cause a denial of service (use-after-free) and
obtain sensitive information from kernel memory by leveraging
/dev/snd/controlCX access.

CVE-2014-4652: Race condition in the tlv handler functionality in the
snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control
implementation in the Linux kernel allowed local users to obtain sensitive
information from kernel memory by leveraging /dev/snd/controlCX access.

CVE-2014-4014: The capabilities implementation in the Linux kernel did not
properly consider that namespaces are inapplicable to inodes, which
allowed local users to bypass intended chmod restrictions by first
creating a user namespace, as demonstrated by setting the setgid bit on a
file with group ownership of root.

CVE-2014-2309: The ip6_route_add function in net/ipv6/route.c in the Linux
kernel did not properly count the addition of routes, which allowed remote
attackers to cause a denial of service (memory consumption) via a flood of
ICMPv6 Router Advertisement packets.

CVE-2014-3917: kernel/auditsc.c in the Linux kernel, when
CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allowed local
users to obtain potentially sensitive single-bit values from kernel memory
or cause a denial of service (OOPS) via a large value of a syscall number.

CVE-2014-0131: Use-after-free vulnerability in the skb_segment function in
net/core/skbuff.c in the Linux kernel allowed attackers to obtain
sensitive information from kernel memory by leveraging the absence of a
certain orphaning operation.

CVE-2014-3144: The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST
extension implementations in the sk_run_filter function in
net/core/filter.c in the Linux kernel did not check whether a certain
length value is sufficiently large, which allowed local users to cause a
denial of service (integer underflow and system crash) via crafted BPF
instructions.

CVE-2014-3145: The BPF_S_ANC_NLATTR_NEST extension implementation in the
sk_run_filter function in net/core/filter.c in the Linux kernel used the
reverse order in a certain subtraction, which allowed local users to cause
a denial of service (over-read and system crash) via crafted BPF
instructions. NOTE: the affected code was moved to the
__skb_get_nlattr_nest function before the vulnerability was announced.

Additional Bug fixed:

• HID: logitech-dj: Fix USB 3.0 issue (bnc#788080).