The SUSE Linux Enterprise 11 SP2 kernel was updated to receive various
security and bug fixes.
The following security bugs were fixed:
- CVE-2016-4486: Fixed 4 byte information leak in net/core/rtnetlink.c
(bsc#978822).
- CVE-2016-3134: The netfilter subsystem in the Linux kernel did not
validate certain offset fields, which allowed local users to gain
privileges or cause a denial of service (heap memory corruption) via an
IPT_SO_SET_REPLACE setsockopt call (bnc#971126).
- CVE-2016-2847: fs/pipe.c in the Linux kernel did not limit the amount of
unread data in pipes, which allowed local users to cause a denial of
service (memory consumption) by creating many pipes with non-default
sizes (bnc#970948).
- CVE-2016-2188: The iowarrior_probe function in
drivers/usb/misc/iowarrior.c in the Linux kernel allowed physically
proximate attackers to cause a denial of service (NULL pointer
dereference and system crash) via a crafted endpoints value in a USB
device descriptor (bnc#970956).
- CVE-2016-3138: The acm_probe function in drivers/usb/class/cdc-acm.c in
the Linux kernel allowed physically proximate attackers to cause a
denial of service (NULL pointer dereference and system crash) via a USB
device without both a control and a data endpoint descriptor
(bnc#970911).
- CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the Linux kernel
allowed physically proximate attackers to cause a denial of service
(NULL pointer dereference and system crash) via a USB device without
both an interrupt-in and an interrupt-out endpoint descriptor, related
to the cypress_generic_port_probe and cypress_open functions
(bnc#970970).
- CVE-2016-3140: The digi_port_init function in
drivers/usb/serial/digi_acceleport.c in the Linux kernel allowed
physically proximate attackers to cause a denial of service (NULL
pointer dereference and system crash) via a crafted endpoints value in a
USB device descriptor (bnc#970892).
- CVE-2016-2186: The powermate_probe function in
drivers/input/misc/powermate.c in the Linux kernel allowed physically
proximate attackers to cause a denial of service (NULL pointer
dereference and system crash) via a crafted endpoints value in a USB
device descriptor (bnc#970958).
- CVE-2016-2185: The ati_remote2_probe function in
drivers/input/misc/ati_remote2.c in the Linux kernel allowed physically
proximate attackers to cause a denial of service (NULL pointer
dereference and system crash) via a crafted endpoints value in a USB
device descriptor (bnc#971124).
- CVE-2016-3156: The IPv4 implementation in the Linux kernel mishandles
destruction of device objects, which allowed guest OS users to cause a
denial of service (host OS networking outage) by arranging for a large
number of IP addresses (bnc#971360).
- CVE-2016-2184: The create_fixed_stream_quirk function in
sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel
allowed physically proximate attackers to cause a denial of service
(NULL pointer dereference or double free, and system crash) via a
crafted endpoints value in a USB device descriptor (bnc#971125).
- CVE-2016-3139: The wacom_probe function in
drivers/input/tablet/wacom_sys.c in the Linux kernel allowed physically
proximate attackers to cause a denial of service (NULL pointer
dereference and system crash) via a crafted endpoints value in a USB
device descriptor (bnc#970909).
- CVE-2016-2143: The fork implementation in the Linux kernel on s390
platforms mishandled the case of four page-table levels, which allowed
local users to cause a denial of service (system crash) or possibly have
unspecified other impact via a crafted application, related to
arch/s390/include/asm/mmu_context.h and arch/s390/include/asm/pgalloc.h
(bnc#970504).
- CVE-2016-2782: The treo_attach function in drivers/usb/serial/visor.c in
the Linux kernel allowed physically proximate attackers to cause a
denial of service (NULL pointer dereference and system crash) or
possibly have unspecified other impact by inserting a USB device that
lacks a (1) bulk-in or (2) interrupt-in endpoint (bnc#968670).
- CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in
the Linux kernel did not properly maintain a hub-interface data
structure, which allowed physically proximate attackers to cause a
denial of service (invalid memory access and system crash) or possibly
have unspecified other impact by unplugging a USB hub device
(bnc#968010).
- CVE-2015-7566: The clie_5_attach function in drivers/usb/serial/visor.c
in the Linux kernel allowed physically proximate attackers to cause a
denial of service (NULL pointer dereference and system crash) or
possibly have unspecified other impact by inserting a USB device that
lacks a bulk-out endpoint (bnc#961512).
- CVE-2016-2549: sound/core/hrtimer.c in the Linux kernel did not prevent
recursive callback access, which allowed local users to cause a denial
of service (deadlock) via a crafted ioctl call (bnc#968013).
- CVE-2016-2547: sound/core/timer.c in the Linux kernel employed a locking
approach that did not consider slave timer instances, which allowed
local users to cause a denial of service (race condition,
use-after-free, and system crash) via a crafted ioctl call (bnc#968011).
- CVE-2016-2548: sound/core/timer.c in the Linux kernel retained certain
linked lists after a close or stop action, which allowed local users to
cause a denial of service (system crash) via a crafted ioctl call,
related to the (1) snd_timer_close and (2) _snd_timer_stop functions
(bnc#968012).
- CVE-2016-2546: sound/core/timer.c in the Linux kernel used an incorrect
type of mutex, which allowed local users to cause a denial of service
(race condition, use-after-free, and system crash) via a crafted ioctl
call (bnc#967975).
- CVE-2016-2545: The snd_timer_interrupt function in sound/core/timer.c in
the Linux kernel did not properly maintain a certain linked list, which
allowed local users to cause a denial of service (race condition and
system crash) via a crafted ioctl call (bnc#967974).
- CVE-2016-2544: Race condition in the queue_delete function in
sound/core/seq/seq_queue.c in the Linux kernel allowed local users to
cause a denial of service (use-after-free and system crash) by making an
ioctl call at a certain time (bnc#967973).
- CVE-2016-2543: The snd_seq_ioctl_remove_events function in
sound/core/seq/seq_clientmgr.c in the Linux kernel did not verify FIFO
assignment before proceeding with FIFO clearing, which allowed local
users to cause a denial of service (NULL pointer dereference and OOPS)
via a crafted ioctl call (bnc#967972).
- CVE-2016-2384: Double free vulnerability in the snd_usbmidi_create
function in sound/usb/midi.c in the Linux kernel allowed physically
proximate attackers to cause a denial of service (panic) or possibly
have unspecified other impact via vectors involving an invalid USB
descriptor (bnc#966693).
- CVE-2015-8812: drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel
did not properly identify error conditions, which allowed remote
attackers to execute arbitrary code or cause a denial of service
(use-after-free) via crafted packets (bnc#966437).
- CVE-2015-8785: The fuse_fill_write_pages function in fs/fuse/file.c in
the Linux kernel allowed local users to cause a denial of service
(infinite loop) via a writev system call that triggers a zero length for
the first segment of an iov (bnc#963765).
- CVE-2016-2069: Race condition in arch/x86/mm/tlb.c in the Linux kernel
.4.1 allowed local users to gain privileges by triggering access to a
paging structure by a different CPU (bnc#963767).
- CVE-2016-0723: Race condition in the tty_ioctl function in
drivers/tty/tty_io.c in the Linux kernel allowed local users to obtain
sensitive information from kernel memory or cause a denial of service
(use-after-free and system crash) by making a TIOCGETD ioctl call during
processing of a TIOCSETD ioctl call (bnc#961500).
- CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the
Linux kernel allowed local users to bypass intended AF_UNIX socket
permissions or cause a denial of service (panic) via crafted epoll_ctl
calls (bnc#955654).
- CVE-2015-8767: net/sctp/sm_sideeffect.c in the Linux kernel did not
properly manage the relationship between a lock and a socket, which
allowed local users to cause a denial of service (deadlock) via a
crafted sctp_accept call (bnc#961509).
- CVE-2015-7515: The aiptek_probe function in
drivers/input/tablet/aiptek.c in the Linux kernel allowed physically
proximate attackers to cause a denial of service (NULL pointer
dereference and system crash) via a crafted USB device that lacks
endpoints (bnc#956708).
- CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel
did not validate attempted changes to the MTU value, which allowed
context-dependent attackers to cause a denial of service (packet loss)
via a value that is (1) smaller than the minimum compliant value or (2)
larger than the MTU of an interface, as demonstrated by a Router
Advertisement (RA) message that is not validated by a daemon, a
different vulnerability than CVE-2015-0272 (bnc#955354).
- CVE-2015-7550: The keyctl_read_key function in security/keys/keyctl.c in
the Linux kernel did not properly use a semaphore, which allowed local
users to cause a denial of service (NULL pointer dereference and system
crash) or possibly have unspecified other impact via a crafted
application that leverages a race condition between keyctl_revoke and
keyctl_read calls (bnc#958951).
- CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect functions in
drivers/net/ppp/pptp.c in the Linux kernel did not verify an address
length, which allowed local users to obtain sensitive information from
kernel memory and bypass the KASLR protection mechanism via a crafted
application (bnc#959190).
- CVE-2015-8575: The sco_sock_bind function in net/bluetooth/sco.c in the
Linux kernel did not verify an address length, which allowed local users
to obtain sensitive information from kernel memory and bypass the KASLR
protection mechanism via a crafted application (bnc#959399).
- CVE-2015-8543: The networking implementation in the Linux kernel did not
validate protocol identifiers for certain protocol families, which
allowed local users to cause a denial of service (NULL function pointer
dereference and system crash) or possibly gain privileges by leveraging
CLONE_NEWUSER support to execute a crafted SOCK_RAW application
(bnc#958886).
- CVE-2015-8539: The KEYS subsystem in the Linux kernel allowed local
users to gain privileges or cause a denial of service (BUG) via crafted
keyctl commands that negatively instantiate a key, related to
security/keys/encrypted-keys/encrypted.c, security/keys/trusted.c, and
security/keys/user_defined.c (bnc#958463).
- CVE-2015-7509: fs/ext4/namei.c in the Linux kernel allowed physically
proximate attackers to cause a denial of service (system crash) via a
crafted no-journal filesystem, a related issue to CVE-2013-2015
(bnc#956709).
- CVE-2015-7799: The slhc_init function in drivers/net/slip/slhc.c in the
Linux kernel did not ensure that certain slot numbers are valid, which
allowed local users to cause a denial of service (NULL pointer
dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call
(bnc#949936).
- CVE-2015-8104: The KVM subsystem in the Linux kernel allowed guest OS
users to cause a denial of service (host OS panic or hang) by triggering
many #DB (aka Debug) exceptions, related to svm.c (bnc#954404).
- CVE-2015-5307: The KVM subsystem in the Linux kernel allowed guest OS
users to cause a denial of service (host OS panic or hang) by triggering
many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c
(bnc#953527).
- CVE-2015-7990: Race condition in the rds_sendmsg function in
net/rds/sendmsg.c in the Linux kernel allowed local users to cause a
denial of service (NULL pointer dereference and system crash) or
possibly have unspecified other impact by using a socket that was not
properly bound (bnc#952384).
- CVE-2015-7872: The key_gc_unused_keys function in security/keys/gc.c in
the Linux kernel allowed local users to cause a denial of service (OOPS)
via crafted keyctl commands (bnc#951440).
- CVE-2015-6937: The __rds_conn_create function in net/rds/connection.c in
the Linux kernel allowed local users to cause a denial of service (NULL
pointer dereference and system crash) or possibly have unspecified other
impact by using a socket that was not properly bound (bnc#945825).
- CVE-2015-6252: The vhost_dev_ioctl function in drivers/vhost/vhost.c in
the Linux kernel allowed local users to cause a denial of service
(memory consumption) via a VHOST_SET_LOG_FD ioctl call that triggers
permanent file-descriptor allocation (bnc#942367).
- CVE-2015-3339: Race condition in the prepare_binprm function in
fs/exec.c in the Linux kernel allowed local users to gain privileges by
executing a setuid program at a time instant when a chown to root is in
progress, and the ownership is changed but the setuid bit is not yet
stripped (bnc#928130).
The following non-security bugs were fixed:
- Fix handling of re-write-before-commit for mmapped NFS pages
(bsc#964201).
- Fix lpfc_send_rscn_event allocation size claims bnc#935757
- Fix ntpd clock synchronization in Xen PV domains (bnc#816446).
- Fix vmalloc_fault oops during lazy MMU updates (bsc#948562).
- Make sure XPRT_CONNECTING gets cleared when needed (bsc#946309).
- SCSI: bfa: Fix to handle firmware tskim abort request response
(bsc#972510).
- USB: usbip: fix potential out-of-bounds write (bnc#975945).
- af_unix: Guard against other == sk in unix_dgram_sendmsg (bsc#973570).
- dm-snap: avoid deadock on s->lock when a read is split (bsc#939826).
- mm/hugetlb: check for pte NULL pointer in __page_check_address()
(bsc#977847).
- nf_conntrack: fix bsc#758540 kabi fix (bsc#946117).
- privcmd: allow preempting long running user-mode originating hypercalls
(bnc#861093).
- s390/cio: collect format 1 channel-path description data (bsc#966460,
bsc#966662).
- s390/cio: ensure consistent measurement state (bsc#966460, bsc#966662).
- s390/cio: fix measurement characteristics memleak (bsc#966460,
bsc#966662).
- s390/cio: update measurement characteristics (bsc#966460, bsc#966662).
- xfs: Fix lost direct IO write in the last block (bsc#949744).