Security update for Linux kernel (important)

The SUSE Linux Enterprise Server 10 Service Pack 4 LTSS
kernel has been updated to fix various security issues and
several bugs.

The following security issues have been addressed:

CVE-2011-2492: The bluetooth subsystem in the Linux
kernel before 3.0-rc4 does not properly initialize certain
data structures, which allows local users to obtain
potentially sensitive information from kernel memory via a
crafted getsockopt system call, related to (1) the
l2cap_sock_getsockopt_old function in
net/bluetooth/l2cap_sock.c and (2) the
rfcomm_sock_getsockopt_old function in
net/bluetooth/rfcomm/sock.c. (bnc#702014)

CVE-2011-2494: kernel/taskstats.c in the Linux kernel
before 3.1 allows local users to obtain sensitive I/O
statistics by sending taskstats commands to a netlink
socket, as demonstrated by discovering the length of
another user’s password. (bnc#703156)

CVE-2012-6537: net/xfrm/xfrm_user.c in the Linux
kernel before 3.6 does not initialize certain structures,
which allows local users to obtain sensitive information
from kernel memory by leveraging the CAP_NET_ADMIN
capability. (bnc#809889)

CVE-2012-6539: The dev_ifconf function in
net/socket.c in the Linux kernel before 3.6 does not
initialize a certain structure, which allows local users to
obtain sensitive information from kernel stack memory via a
crafted application. (bnc#809891)

CVE-2012-6540: The do_ip_vs_get_ctl function in
net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before
3.6 does not initialize a certain structure for
IP_VS_SO_GET_TIMEOUT commands, which allows local users to
obtain sensitive information from kernel stack memory via a
crafted application. (bnc#809892)

CVE-2012-6541: The ccid3_hc_tx_getsockopt function in
net/dccp/ccids/ccid3.c in the Linux kernel before 3.6 does
not initialize a certain structure, which allows local
users to obtain sensitive information from kernel stack
memory via a crafted application. (bnc#809893)

CVE-2012-6542: The llc_ui_getname function in
net/llc/af_llc.c in the Linux kernel before 3.6 has an
incorrect return value in certain circumstances, which
allows local users to obtain sensitive information from
kernel stack memory via a crafted application that
leverages an uninitialized pointer argument. (bnc#809894)

CVE-2012-6544: The Bluetooth protocol stack in the
Linux kernel before 3.6 does not properly initialize
certain structures, which allows local users to obtain
sensitive information from kernel stack memory via a
crafted application that targets the (1) L2CAP or (2) HCI
implementation. (bnc#809898)

CVE-2012-6545: The Bluetooth RFCOMM implementation in
the Linux kernel before 3.6 does not properly initialize
certain structures, which allows local users to obtain
sensitive information from kernel memory via a crafted
application. (bnc#809899)

CVE-2012-6546: The ATM implementation in the Linux
kernel before 3.6 does not initialize certain structures,
which allows local users to obtain sensitive information
from kernel stack memory via a crafted application.
(bnc#809900)

CVE-2012-6547: The __tun_chr_ioctl function in
drivers/net/tun.c in the Linux kernel before 3.6 does not
initialize a certain structure, which allows local users to
obtain sensitive information from kernel stack memory via a
crafted application. (bnc#809901)

CVE-2012-6549: The isofs_export_encode_fh function in
fs/isofs/export.c in the Linux kernel before 3.6 does not
initialize a certain structure member, which allows local
users to obtain sensitive information from kernel heap
memory via a crafted application. (bnc#809903)

CVE-2013-0343: The ipv6_create_tempaddr function in
net/ipv6/addrconf.c in the Linux kernel through 3.8 does
not properly handle problems with the generation of IPv6
temporary addresses, which allows remote attackers to cause
a denial of service (excessive retries and
address-generation outage), and consequently obtain
sensitive information, via ICMPv6 Router Advertisement (RA)
messages. (bnc#805226)

CVE-2013-0914: The flush_signal_handlers function in
kernel/signal.c in the Linux kernel before 3.8.4 preserves
the value of the sa_restorer field across an exec
operation, which makes it easier for local users to bypass
the ASLR protection mechanism via a crafted application
containing a sigaction system call. (bnc#808827)

CVE-2013-1827: net/dccp/ccid.h in the Linux kernel
before 3.5.4 allows local users to gain privileges or cause
a denial of service (NULL pointer dereference and system
crash) by leveraging the CAP_NET_ADMIN capability for a
certain (1) sender or (2) receiver getsockopt call.
(bnc#811354)

CVE-2013-2141: The do_tkill function in
kernel/signal.c in the Linux kernel before 3.8.9 does not
initialize a certain data structure, which allows local
users to obtain sensitive information from kernel memory
via a crafted application that makes a (1) tkill or (2)
tgkill system call. (bnc#823267)

CVE-2013-2164: The mmc_ioctl_cdrom_read_data function
in drivers/cdrom/cdrom.c in the Linux kernel through 3.10
allows local users to obtain sensitive information from
kernel memory via a read operation on a malfunctioning
CD-ROM drive. (bnc#824295)

CVE-2013-2206: The sctp_sf_do_5_2_4_dupcook function
in net/sctp/sm_statefuns.c in the SCTP implementation in
the Linux kernel before 3.8.5 does not properly handle
associations during the processing of a duplicate COOKIE
ECHO chunk, which allows remote attackers to cause a denial
of service (NULL pointer dereference and system crash) or
possibly have unspecified other impact via crafted SCTP
traffic. (bnc#826102)

CVE-2013-2232: The ip6_sk_dst_check function in
net/ipv6/ip6_output.c in the Linux kernel before 3.10
allows local users to cause a denial of service (system
crash) by using an AF_INET6 socket for a connection to an
IPv4 interface. (bnc#827750)

CVE-2013-2234: The (1) key_notify_sa_flush and (2)
key_notify_policy_flush functions in net/key/af_key.c in
the Linux kernel before 3.10 do not initialize certain
structure members, which allows local users to obtain
sensitive information from kernel heap memory by reading a
broadcast message from the notify interface of an IPSec
key_socket. (bnc#827749)

CVE-2013-2237: The key_notify_policy_flush function
in net/key/af_key.c in the Linux kernel before 3.9 does not
initialize a certain structure member, which allows local
users to obtain sensitive information from kernel heap
memory by reading a broadcast message from the
notify_policy interface of an IPSec key_socket. (bnc#828119)

CVE-2013-2888: Multiple array index errors in
drivers/hid/hid-core.c in the Human Interface Device (HID)
subsystem in the Linux kernel through 3.11 allow physically
proximate attackers to execute arbitrary code or cause a
denial of service (heap memory corruption) via a crafted
device that provides an invalid Report ID. (bnc#835839)

CVE-2013-2893: The Human Interface Device (HID)
subsystem in the Linux kernel through 3.11, when
CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or
CONFIG_LOGIWHEELS_FF is enabled, allows physically
proximate attackers to cause a denial of service
(heap-based out-of-bounds write) via a crafted device,
related to (1) drivers/hid/hid-lgff.c, (2)
drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c.
(bnc#835839)

CVE-2013-2897: Multiple array index errors in
drivers/hid/hid-multitouch.c in the Human Interface Device
(HID) subsystem in the Linux kernel through 3.11, when
CONFIG_HID_MULTITOUCH is enabled, allow physically
proximate attackers to cause a denial of service (heap
memory corruption, or NULL pointer dereference and OOPS)
via a crafted device. (bnc#835839)

CVE-2013-3222: The vcc_recvmsg function in
net/atm/common.c in the Linux kernel before 3.9-rc7 does
not initialize a certain length variable, which allows
local users to obtain sensitive information from kernel
stack memory via a crafted recvmsg or recvfrom system call.
(bnc#816668)

CVE-2013-3223: The ax25_recvmsg function in
net/ax25/af_ax25.c in the Linux kernel before 3.9-rc7 does
not initialize a certain data structure, which allows local
users to obtain sensitive information from kernel stack
memory via a crafted recvmsg or recvfrom system call.
(bnc#816668)

CVE-2013-3224: The bt_sock_recvmsg function in
net/bluetooth/af_bluetooth.c in the Linux kernel before
3.9-rc7 does not properly initialize a certain length
variable, which allows local users to obtain sensitive
information from kernel stack memory via a crafted recvmsg
or recvfrom system call. (bnc#816668)

CVE-2013-3228: The irda_recvmsg_dgram function in
net/irda/af_irda.c in the Linux kernel before 3.9-rc7 does
not initialize a certain length variable, which allows
local users to obtain sensitive information from kernel
stack memory via a crafted recvmsg or recvfrom system call.
(bnc#816668)

CVE-2013-3229: The iucv_sock_recvmsg function in
net/iucv/af_iucv.c in the Linux kernel before 3.9-rc7 does
not initialize a certain length variable, which allows
local users to obtain sensitive information from kernel
stack memory via a crafted recvmsg or recvfrom system call.
(bnc#816668)

CVE-2013-3231: The llc_ui_recvmsg function in
net/llc/af_llc.c in the Linux kernel before 3.9-rc7 does
not initialize a certain length variable, which allows
local users to obtain sensitive information from kernel
stack memory via a crafted recvmsg or recvfrom system call.
(bnc#816668)

CVE-2013-3232: The nr_recvmsg function in
net/netrom/af_netrom.c in the Linux kernel before 3.9-rc7
does not initialize a certain data structure, which allows
local users to obtain sensitive information from kernel
stack memory via a crafted recvmsg or recvfrom system call.
(bnc#816668)

CVE-2013-3234: The rose_recvmsg function in
net/rose/af_rose.c in the Linux kernel before 3.9-rc7 does
not initialize a certain data structure, which allows local
users to obtain sensitive information from kernel stack
memory via a crafted recvmsg or recvfrom system call.
(bnc#816668)

CVE-2013-3235: net/tipc/socket.c in the Linux kernel
before 3.9-rc7 does not initialize a certain data structure
and a certain length variable, which allows local users to
obtain sensitive information from kernel stack memory via a
crafted recvmsg or recvfrom system call. (bnc#816668)

CVE-2013-4162: The udp_v6_push_pending_frames
function in net/ipv6/udp.c in the IPv6 implementation in
the Linux kernel through 3.10.3 makes an incorrect function
call for pending data, which allows local users to cause a
denial of service (BUG and system crash) via a crafted
application that uses the UDP_CORK option in a setsockopt
system call. (bnc#831058)

CVE-2013-4387: net/ipv6/ip6_output.c in the Linux
kernel through 3.11.4 does not properly determine the need
for UDP Fragmentation Offload (UFO) processing of small
packets after the UFO queueing of a large packet, which
allows remote attackers to cause a denial of service
(memory corruption and system crash) or possibly have
unspecified other impact via network traffic that triggers
a large response packet. (bnc#843430)

CVE-2013-4470: The Linux kernel before 3.12, when UDP
Fragmentation Offload (UFO) is enabled, does not properly
initialize certain data structures, which allows local
users to cause a denial of service (memory corruption and
system crash) or possibly gain privileges via a crafted
application that uses the UDP_CORK option in a setsockopt
system call and sends both short and long packets, related
to the ip_ufo_append_data function in net/ipv4/ip_output.c
and the ip6_ufo_append_data function in
net/ipv6/ip6_output.c. (bnc#847672)

CVE-2013-4483: The ipc_rcu_putref function in
ipc/util.c in the Linux kernel before 3.10 does not
properly manage a reference count, which allows local users
to cause a denial of service (memory consumption or system
crash) via a crafted application. (bnc#848321)

CVE-2013-4588: Multiple stack-based buffer overflows
in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel
before 2.6.33, when CONFIG_IP_VS is used, allow local users
to gain privileges by leveraging the CAP_NET_ADMIN
capability for (1) a getsockopt system call, related to the
do_ip_vs_get_ctl function, or (2) a setsockopt system call,
related to the do_ip_vs_set_ctl function. (bnc#851095)

CVE-2013-6383: The aac_compat_ioctl function in
drivers/scsi/aacraid/linit.c in the Linux kernel before
3.11.8 does not require the CAP_SYS_RAWIO capability, which
allows local users to bypass intended access restrictions
via a crafted ioctl call. (bnc#852558)

CVE-2014-1444: The fst_get_iface function in
drivers/net/wan/farsync.c in the Linux kernel before 3.11.7
does not properly initialize a certain data structure,
which allows local users to obtain sensitive information
from kernel memory by leveraging the CAP_NET_ADMIN
capability for an SIOCWANDEV ioctl call. (bnc#858869)

CVE-2014-1445: The wanxl_ioctl function in
drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7
does not properly initialize a certain data structure,
which allows local users to obtain sensitive information
from kernel memory via an ioctl call. (bnc#858870)

CVE-2014-1446: The yam_ioctl function in
drivers/net/hamradio/yam.c in the Linux kernel before
3.12.8 does not initialize a certain structure member,
which allows local users to obtain sensitive information
from kernel memory by leveraging the CAP_NET_ADMIN
capability for an SIOCYAMGCFG ioctl call. (bnc#858872)

Also the following non-security bugs have been fixed:

• kernel: Remove newline from execve audit log
  (bnc#827855).
• kernel: sclp console hangs (bnc#830344, LTC#95711).
• kernel: fix flush_tlb_kernel_range (bnc#825052,
  LTC#94745).

kernel: lost IPIs on CPU hotplug (bnc#825052,
LTC#94784).

sctp: deal with multiple COOKIE_ECHO chunks
(bnc#826102).

• net: Uninline kfree_skb and allow NULL argument
  (bnc#853501).
• netback: don’t disconnect frontend when seeing
  oversize packet.

netfront: reduce gso_max_size to account for max TCP
header.

fs/dcache: Avoid race in d_splice_alias and vfs_rmdir
(bnc#845028).

• fs/proc: proc_task_lookup() fix memory pinning
  (bnc#827362 bnc#849765).
• blkdev_max_block: make private to fs/buffer.c
  (bnc#820338).
• vfs: avoid "attempt to access beyond end of device"
  warnings (bnc#820338).
• vfs: fix O_DIRECT read past end of block device
  (bnc#820338).
• cifs: don’t use CIFSGetSrvInodeNumber in
  is_path_accessible (bnc#832603).
• xfs: Fix kABI breakage caused by AIL list
  transformation (bnc#806219).
• xfs: Replace custom AIL linked-list code with struct
  list_head (bnc#806219).
• reiserfs: fix problems with chowning setuid file w/
  xattrs (bnc#790920).
• reiserfs: fix spurious multiple-fill in
  reiserfs_readdir_dentry (bnc#822722).

jbd: Fix forever sleeping process in
do_get_write_access() (bnc#827983).

HID: check for NULL field when setting values
(bnc#835839).

• HID: provide a helper for validating hid reports
  (bnc#835839).
• bcm43xx: netlink deadlock fix (bnc#850241).
• bnx2: Close device if tx_timeout reset fails
  (bnc#857597).
• xfrm: invalidate dst on policy insertion/deletion
  (bnc#842239).
• xfrm: prevent ipcomp scratch buffer race condition
  (bnc#842239).
• lpfc: Update to 8.2.0.106 (bnc#798050).
• Make lpfc task management timeout configurable
  (bnc#798050).
• dpt_i2o: Remove DPTI_STATE_IOCTL (bnc#798050).
• dpt_i2o: return SCSI_MLQUEUE_HOST_BUSY when in reset
  (bnc#798050).
• advansys: Remove ‘last_reset’ references (bnc#798050).
• tmscsim: Move ‘last_reset’ into host structure
  (bnc#798050).

dc395: Move ‘last_reset’ into internal host structure
(bnc#798050).

scsi: remove check for ‘resetting’ (bnc#798050).

• scsi: Allow error handling timeout to be specified
  (bnc#798050).
• scsi: Eliminate error handler overload of the SCSI
  serial number (bnc#798050).
• scsi: Reduce sequential pointer derefs in
  scsi_error.c and reduce size as well (bnc#798050).
• scsi: Reduce error recovery time by reducing use of
  TURs (bnc#798050).
• scsi: fix eh wakeup (scsi_schedule_eh vs
  scsi_restart_operations)
• scsi: cleanup setting task state in
  scsi_error_handler() (bnc#798050).
• scsi: Add ‘eh_deadline’ to limit SCSI EH runtime
  (bnc#798050).
• scsi: Fixup compilation warning (bnc#798050).
• scsi: fc class: fix scanning when devs are offline
  (bnc#798050).
• scsi: Warn on invalid command completion (bnc#798050).
• scsi: Retry failfast commands after EH (bnc#798050).
• scsi: kABI fixes (bnc#798050).