http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=fc3a9157d3148ab91039c75423da8ef97be3e105

SUSE-SU-2015:0652

http://mirror.linux.org.au/linux/kernel/v2.6/ChangeLog-2.6.38

RHSA-2016:0855

[oss-security] 20141113 CVE-2014-7842 Linux kernel: kvm: reporting emulation failures to userspace

http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html

71363

https://bugzilla.redhat.com/show_bug.cgi?id=1163762

https://github.com/torvalds/linux/commit/fc3a9157d3148ab91039c75423da8ef97be3e105

Security Fix(es) :

  - It was found that reporting emulation failures to user     space could lead to either a local (CVE-2014-7842) or a     L2->L1 (CVE-2010-5313) denial of service. In the case of     a local denial of service, an attacker must have access     to the MMIO area or be able to access an I/O port.
    Please note that on certain systems, HPET is mapped to     userspace as part of vdso (vvar) and thus an     unprivileged user may generate MMIO transactions (and     enter the emulator) this way. (CVE-2010-5313,     CVE-2014-7842, Moderate)

  - It was found that the Linux kernel did not properly     account file descriptors passed over the unix socket     against the process limit. A local user could use this     flaw to exhaust all available memory on the system.
    (CVE-2013-4312, Moderate)

  - A buffer overflow flaw was found in the way the Linux     kernel's virtio- net subsystem handled certain fraglists     when the GRO (Generic Receive Offload) functionality was     enabled in a bridged network configuration. An attacker     on the local network could potentially use this flaw to     crash the system, or, although unlikely, elevate their     privileges on the system. (CVE-2015-5156, Moderate)

  - It was found that the Linux kernel's IPv6 network stack     did not properly validate the value of the MTU variable     when it was set. A remote attacker could potentially use     this flaw to disrupt a target system's networking     (packet loss) by setting an invalid MTU value, for     example, via a NetworkManager daemon that is processing     router advertisement packets running on the target     system. (CVE-2015-8215, Moderate)

  - A NULL pointer dereference flaw was found in the way the     Linux kernel's network subsystem handled socket creation     with an invalid protocol identifier. A local user could     use this flaw to crash the system. (CVE-2015-8543,     Moderate)

  - It was found that the espfix functionality does not work     for 32-bit KVM paravirtualized guests. A local,     unprivileged guest user could potentially use this flaw     to leak kernel stack addresses. (CVE-2014-8134, Low)

  - A flaw was found in the way the Linux kernel's ext4 file     system driver handled non-journal file systems with an     orphan list. An attacker with physical access to the     system could use this flaw to crash the system or,     although unlikely, escalate their privileges on the     system. (CVE-2015-7509, Low)

  - A NULL pointer dereference flaw was found in the way the     Linux kernel's ext4 file system driver handled certain     corrupted file system images. An attacker with physical     access to the system could use this flaw to crash the     system. (CVE-2015-8324, Low)

Notes :

  - Problems have been reported with this kernel and     VirtualBox. More info is available in the notes for the     VirtualBox ticket here: <a     href='https://www.virtualbox.org/ticket/14866'     target='_blank'>https://www.virtualbox.org/ticket/14866<     /a>

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2016-0855 advisory.

  - The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel through 3.18 uses an improper     paravirt_enabled setting for KVM guest kernels, which makes it easier for guest OS users to bypass the     ASLR protection mechanism via a crafted application that reads a 16-bit value. (CVE-2014-8134)

  - The virtnet_probe function in drivers/net/virtio_net.c in the Linux kernel before 4.2 attempts to support     a FRAGLIST feature without proper memory allocation, which allows guest OS users to cause a denial of     service (buffer overflow and memory corruption) via a crafted sequence of fragmented packets.
    (CVE-2015-5156)

  - Race condition in arch/x86/kvm/x86.c in the Linux kernel before 2.6.38 allows L2 guest OS users to cause a     denial of service (L1 guest OS crash) via a crafted instruction that triggers an L2 emulation failure     report, a similar issue to CVE-2014-7842. (CVE-2010-5313)

  - Race condition in arch/x86/kvm/x86.c in the Linux kernel before 3.17.4 allows guest OS users to cause a     denial of service (guest OS crash) via a crafted application that performs an MMIO transaction or a PIO     transaction to trigger a guest userspace emulation error report, a similar issue to CVE-2010-5313.
    (CVE-2014-7842)

  - The Linux kernel before 4.4.1 allows local users to bypass file-descriptor limits and cause a denial of     service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to     net/unix/af_unix.c and net/unix/garbage.c. (CVE-2013-4312)

  - net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel before 4.0 does not validate attempted changes     to the MTU value, which allows context-dependent attackers to cause a denial of service (packet loss) via     a value that is (1) smaller than the minimum compliant value or (2) larger than the MTU of an interface,     as demonstrated by a Router Advertisement (RA) message that is not validated by a daemon, a different     vulnerability than CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is limited to the NetworkManager     product. (CVE-2015-8215)

  - The ext4 implementation in the Linux kernel before 2.6.34 does not properly track the initialization of     certain data structures, which allows physically proximate attackers to cause a denial of service (NULL     pointer dereference and panic) via a crafted USB device, related to the ext4_fill_super function.
    (CVE-2015-8324)

  - The networking implementation in the Linux kernel through 4.3.3, as used in Android and other products,     does not validate protocol identifiers for certain protocol families, which allows local users to cause a     denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by     leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application. (CVE-2015-8543)

  - fs/ext4/namei.c in the Linux kernel before 3.7 allows physically proximate attackers to cause a denial of     service (system crash) via a crafted no-journal filesystem, a related issue to CVE-2013-2015.
    (CVE-2015-7509)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for kernel is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* It was found that reporting emulation failures to user space could lead to either a local (CVE-2014-7842) or a L2->L1 (CVE-2010-5313) denial of service. In the case of a local denial of service, an attacker must have access to the MMIO area or be able to access an I/O port. Please note that on certain systems, HPET is mapped to userspace as part of vdso (vvar) and thus an unprivileged user may generate MMIO transactions (and enter the emulator) this way. (CVE-2010-5313, CVE-2014-7842, Moderate)

* It was found that the Linux kernel did not properly account file descriptors passed over the unix socket against the process limit. A local user could use this flaw to exhaust all available memory on the system. (CVE-2013-4312, Moderate)

* A buffer overflow flaw was found in the way the Linux kernel's virtio-net subsystem handled certain fraglists when the GRO (Generic Receive Offload) functionality was enabled in a bridged network configuration. An attacker on the local network could potentially use this flaw to crash the system, or, although unlikely, elevate their privileges on the system. (CVE-2015-5156, Moderate)

* It was found that the Linux kernel's IPv6 network stack did not properly validate the value of the MTU variable when it was set. A remote attacker could potentially use this flaw to disrupt a target system's networking (packet loss) by setting an invalid MTU value, for example, via a NetworkManager daemon that is processing router advertisement packets running on the target system. (CVE-2015-8215, Moderate)

* A NULL pointer dereference flaw was found in the way the Linux kernel's network subsystem handled socket creation with an invalid protocol identifier. A local user could use this flaw to crash the system. (CVE-2015-8543, Moderate)

* It was found that the espfix functionality does not work for 32-bit KVM paravirtualized guests. A local, unprivileged guest user could potentially use this flaw to leak kernel stack addresses.
(CVE-2014-8134, Low)

* A flaw was found in the way the Linux kernel's ext4 file system driver handled non-journal file systems with an orphan list. An attacker with physical access to the system could use this flaw to crash the system or, although unlikely, escalate their privileges on the system. (CVE-2015-7509, Low)

* A NULL pointer dereference flaw was found in the way the Linux kernel's ext4 file system driver handled certain corrupted file system images. An attacker with physical access to the system could use this flaw to crash the system. (CVE-2015-8324, Low)

Red Hat would like to thank Nadav Amit for reporting CVE-2010-5313 and CVE-2014-7842, Andy Lutomirski for reporting CVE-2014-8134, and Dmitriy Monakhov (OpenVZ) for reporting CVE-2015-8324. The CVE-2015-5156 issue was discovered by Jason Wang (Red Hat).

Additional Changes :

* Refer to Red Hat Enterprise Linux 6.8 Release Notes for information on new kernel features and known issues, and Red Hat Enterprise Linux Technical Notes for information on device driver updates, important changes to external kernel parameters, notable bug fixes, and technology previews. Both of these documents are linked to in the References section.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2016-0037 for details.

CVE-2010-5313 Race condition in arch/x86/kvm/x86.c in the Linux kernel before 2.6.38 allows L2 guest OS users to cause a denial of service (L1 guest OS crash) via a crafted instruction that triggers an L2 emulation failure report, a similar issue to CVE-2014-7842.

CVE-2014-7842 Race condition in arch/x86/kvm/x86.c in the Linux kernel before 3.17.4 allows guest OS users to cause a denial of service (guest OS crash) via a crafted application that performs an MMIO transaction or a PIO transaction to trigger a guest userspace emulation error report, a similar issue to CVE-2010-5313.

The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2016-3502 advisory.

  - The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a     bind system call for an AF_ALG socket with a module name in the salg_name field, a different vulnerability     than CVE-2014-9644. (CVE-2013-7421)

  - The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a     bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name     field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-2013-7421.
    (CVE-2014-9644)

  - Race condition in arch/x86/kvm/x86.c in the Linux kernel before 3.17.4 allows guest OS users to cause a     denial of service (guest OS crash) via a crafted application that performs an MMIO transaction or a PIO     transaction to trigger a guest userspace emulation error report, a similar issue to CVE-2010-5313.
    (CVE-2014-7842)

  - Race condition in the IPC object implementation in the Linux kernel through 4.2.3 allows local users to     gain privileges by triggering an ipc_addid call that leads to uid and gid comparisons against     uninitialized data, related to msg.c, shm.c, and util.c. (CVE-2015-7613)

  - The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to     cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions,     related to svm.c and vmx.c. (CVE-2015-5307)

  - The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to     cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related     to svm.c. (CVE-2015-8104)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

* A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system.
(CVE-2015-2925, Important)

* A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system.
(CVE-2015-7613, Important)

* It was found that reporting emulation failures to user space could lead to either a local (CVE-2014-7842) or a L2->L1 (CVE-2010-5313) denial of service. In the case of a local denial of service, an attacker must have access to the MMIO area or be able to access an I/O port. (CVE-2010-5313, CVE-2014-7842, Moderate)

* A flaw was found in the way the Linux kernel's KVM subsystem handled non-canonical addresses when emulating instructions that change the RIP (for example, branches or calls). A guest user with access to an I/O or MMIO region could use this flaw to crash the guest.
(CVE-2014-3647, Moderate)

* It was found that the Linux kernel memory resource controller's (memcg) handling of OOM (out of memory) conditions could lead to deadlocks. An attacker could use this flaw to lock up the system.
(CVE-2014-8171, Moderate)

* A race condition flaw was found between the chown and execve system calls. A local, unprivileged user could potentially use this flaw to escalate their privileges on the system. (CVE-2015-3339, Moderate)

* A flaw was discovered in the way the Linux kernel's TTY subsystem handled the tty shutdown phase. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-4170, Moderate)

* A NULL pointer dereference flaw was found in the SCTP implementation. A local user could use this flaw to cause a denial of service on the system by triggering a kernel panic when creating multiple sockets in parallel while the system did not have the SCTP module loaded. (CVE-2015-5283, Moderate)

* A flaw was found in the way the Linux kernel's perf subsystem retrieved userlevel stack traces on PowerPC systems. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-6526, Moderate)

* A flaw was found in the way the Linux kernel's Crypto subsystem handled automatic loading of kernel modules. A local user could use this flaw to load any installed kernel module, and thus increase the attack surface of the running kernel. (CVE-2013-7421, CVE-2014-9644, Low)

* An information leak flaw was found in the way the Linux kernel changed certain segment registers and thread-local storage (TLS) during a context switch. A local, unprivileged user could use this flaw to leak the user space TLS base address of an arbitrary process.
(CVE-2014-9419, Low)

* It was found that the Linux kernel KVM subsystem's sysenter instruction emulation was not sufficient. An unprivileged guest user could use this flaw to escalate their privileges by tricking the hypervisor to emulate a SYSENTER instruction in 16-bit mode, if the guest OS did not initialize the SYSENTER model-specific registers (MSRs). Note: Certified guest operating systems for Scientific Linux with KVM do initialize the SYSENTER MSRs and are thus not vulnerable to this issue when running on a KVM hypervisor. (CVE-2015-0239, Low)

* A flaw was found in the way the Linux kernel handled the securelevel functionality after performing a kexec operation. A local attacker could use this flaw to bypass the security mechanism of the securelevel/secureboot combination. (CVE-2015-7837, Low)

Updated kernel packages that fix multiple security issues, address several hundred bugs, and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 7. This is the second regular update.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system.
(CVE-2015-2925, Important)

* A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system.
(CVE-2015-7613, Important)

* It was found that reporting emulation failures to user space could lead to either a local (CVE-2014-7842) or a L2->L1 (CVE-2010-5313) denial of service. In the case of a local denial of service, an attacker must have access to the MMIO area or be able to access an I/O port. (CVE-2010-5313, CVE-2014-7842, Moderate)

* A flaw was found in the way the Linux kernel's KVM subsystem handled non-canonical addresses when emulating instructions that change the RIP (for example, branches or calls). A guest user with access to an I/O or MMIO region could use this flaw to crash the guest.
(CVE-2014-3647, Moderate)

* It was found that the Linux kernel memory resource controller's (memcg) handling of OOM (out of memory) conditions could lead to deadlocks. An attacker could use this flaw to lock up the system.
(CVE-2014-8171, Moderate)

* A race condition flaw was found between the chown and execve system calls. A local, unprivileged user could potentially use this flaw to escalate their privileges on the system. (CVE-2015-3339, Moderate)

* A flaw was discovered in the way the Linux kernel's TTY subsystem handled the tty shutdown phase. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-4170, Moderate)

* A NULL pointer dereference flaw was found in the SCTP implementation. A local user could use this flaw to cause a denial of service on the system by triggering a kernel panic when creating multiple sockets in parallel while the system did not have the SCTP module loaded. (CVE-2015-5283, Moderate)

* A flaw was found in the way the Linux kernel's perf subsystem retrieved userlevel stack traces on PowerPC systems. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-6526, Moderate)

* A flaw was found in the way the Linux kernel's Crypto subsystem handled automatic loading of kernel modules. A local user could use this flaw to load any installed kernel module, and thus increase the attack surface of the running kernel. (CVE-2013-7421, CVE-2014-9644, Low)

* An information leak flaw was found in the way the Linux kernel changed certain segment registers and thread-local storage (TLS) during a context switch. A local, unprivileged user could use this flaw to leak the user space TLS base address of an arbitrary process.
(CVE-2014-9419, Low)

* It was found that the Linux kernel KVM subsystem's sysenter instruction emulation was not sufficient. An unprivileged guest user could use this flaw to escalate their privileges by tricking the hypervisor to emulate a SYSENTER instruction in 16-bit mode, if the guest OS did not initialize the SYSENTER model-specific registers (MSRs). Note: Certified guest operating systems for Red Hat Enterprise Linux with KVM do initialize the SYSENTER MSRs and are thus not vulnerable to this issue when running on a KVM hypervisor.
(CVE-2015-0239, Low)

* A flaw was found in the way the Linux kernel handled the securelevel functionality after performing a kexec operation. A local attacker could use this flaw to bypass the security mechanism of the securelevel/secureboot combination. (CVE-2015-7837, Low)

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2015-2152 advisory.

  - The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a     bind system call for an AF_ALG socket with a module name in the salg_name field, a different vulnerability     than CVE-2014-9644. (CVE-2013-7421)

  - The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a     bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name     field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-2013-7421.
    (CVE-2014-9644)

  - The memory resource controller (aka memcg) in the Linux kernel allows local users to cause a denial of     service (deadlock) by spawning new processes within a memory-constrained cgroup. (CVE-2014-8171)

  - The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not     ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which     makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that     reads a TLS base address. (CVE-2014-9419)

  - The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel before 3.18.5, when the guest OS     lacks SYSENTER MSR initialization, allows guest OS users to gain guest OS privileges or cause a denial of     service (guest OS crash) by triggering use of a 16-bit code segment for emulation of a SYSENTER     instruction. (CVE-2015-0239)

  - Race condition in the prepare_binprm function in fs/exec.c in the Linux kernel before 3.19.6 allows local     users to gain privileges by executing a setuid program at a time instant when a chown to root is in     progress, and the ownership is changed but the setuid bit is not yet stripped. (CVE-2015-3339)

  - Race condition in arch/x86/kvm/x86.c in the Linux kernel before 2.6.38 allows L2 guest OS users to cause a     denial of service (L1 guest OS crash) via a crafted instruction that triggers an L2 emulation failure     report, a similar issue to CVE-2014-7842. (CVE-2010-5313)

  - arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel through 3.17.2 does not properly perform     RIP changes, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted     application. (CVE-2014-3647)

  - Race condition in arch/x86/kvm/x86.c in the Linux kernel before 3.17.4 allows guest OS users to cause a     denial of service (guest OS crash) via a crafted application that performs an MMIO transaction or a PIO     transaction to trigger a guest userspace emulation error report, a similar issue to CVE-2010-5313.
    (CVE-2014-7842)

  - The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename     actions inside a bind mount, which allows local users to bypass an intended container protection mechanism     by renaming a directory, related to a double-chroot attack. (CVE-2015-2925)

  - Race condition in the ldsem_cmpxchg function in drivers/tty/tty_ldsem.c in the Linux kernel before     3.13-rc4-next-20131218 allows local users to cause a denial of service (ldsem_down_read and     ldsem_down_write deadlock) by establishing a new tty thread during shutdown of a previous tty thread.
    (CVE-2015-4170)

  - The sctp_init function in net/sctp/protocol.c in the Linux kernel before 4.2.3 has an incorrect sequence     of protocol-initialization steps, which allows local users to cause a denial of service (panic or memory     corruption) by creating SCTP sockets before all of the steps have finished. (CVE-2015-5283)

  - The perf_callchain_user_64 function in arch/powerpc/perf/callchain.c in the Linux kernel before 4.0.2 on     ppc64 platforms allows local users to cause a denial of service (infinite loop) via a deep 64-bit     userspace backtrace. (CVE-2015-6526)

  - Race condition in the IPC object implementation in the Linux kernel through 4.2.3 allows local users to     gain privileges by triggering an ipc_addid call that leads to uid and gid comparisons against     uninitialized data, related to msg.c, shm.c, and util.c. (CVE-2015-7613)

  - The Linux kernel, as used in Red Hat Enterprise Linux 7, kernel-rt, and Enterprise MRG 2 and when booted     with UEFI Secure Boot enabled, allows local users to bypass intended securelevel/secureboot restrictions     by leveraging improper handling of secure_boot flag across kexec reboot. (CVE-2015-7837)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The SUSE Linux Enterprise 11 Service Pack 1 LTSS kernel was updated to fix security issues on kernels on the x86_64 architecture.

The following security bugs have been fixed :

  - CVE-2013-4299: Interpretation conflict in     drivers/md/dm-snap-persistent.c in the Linux kernel     through 3.11.6 allowed remote authenticated users to     obtain sensitive information or modify data via a     crafted mapping to a snapshot block device (bnc#846404).

  - CVE-2014-8160: SCTP firewalling failed until the SCTP     module was loaded (bnc#913059).

  - CVE-2014-9584: The parse_rock_ridge_inode_internal     function in fs/isofs/rock.c in the Linux kernel before     3.18.2 did not validate a length value in the Extensions     Reference (ER) System Use Field, which allowed local     users to obtain sensitive information from kernel memory     via a crafted iso9660 image (bnc#912654).

  - CVE-2014-9585: The vdso_addr function in     arch/x86/vdso/vma.c in the Linux kernel through 3.18.2     did not properly choose memory locations for the vDSO     area, which made it easier for local users to bypass the     ASLR protection mechanism by guessing a location at the     end of a PMD (bnc#912705).

  - CVE-2014-9420: The rock_continue function in     fs/isofs/rock.c in the Linux kernel through 3.18.1 did     not restrict the number of Rock Ridge continuation     entries, which allowed local users to cause a denial of     service (infinite loop, and system crash or hang) via a     crafted iso9660 image (bnc#911325).

  - CVE-2014-0181: The Netlink implementation in the Linux     kernel through 3.14.1 did not provide a mechanism for     authorizing socket operations based on the opener of a     socket, which allowed local users to bypass intended     access restrictions and modify network configurations by     using a Netlink socket for the (1) stdout or (2) stderr     of a setuid program (bnc#875051).

  - CVE-2010-5313: Race condition in arch/x86/kvm/x86.c in     the Linux kernel before 2.6.38 allowed L2 guest OS users     to cause a denial of service (L1 guest OS crash) via a     crafted instruction that triggers an L2 emulation     failure report, a similar issue to CVE-2014-7842     (bnc#907822).

  - CVE-2014-7842: Race condition in arch/x86/kvm/x86.c in     the Linux kernel before 3.17.4 allowed guest OS users to     cause a denial of service (guest OS crash) via a crafted     application that performs an MMIO transaction or a PIO     transaction to trigger a guest userspace emulation error     report, a similar issue to CVE-2010-5313 (bnc#905312).

  - CVE-2014-3688: The SCTP implementation in the Linux     kernel before 3.17.4 allowed remote attackers to cause a     denial of service (memory consumption) by triggering a     large number of chunks in an associations output queue,     as demonstrated by ASCONF probes, related to     net/sctp/inqueue.c and net/sctp/sm_statefuns.c     (bnc#902351).

  - CVE-2014-3687: The sctp_assoc_lookup_asconf_ack function     in net/sctp/associola.c in the SCTP implementation in     the Linux kernel through 3.17.2 allowed remote attackers     to cause a denial of service (panic) via duplicate     ASCONF chunks that trigger an incorrect uncork within     the side-effect interpreter (bnc#902349).

  - CVE-2014-3673: The SCTP implementation in the Linux     kernel through 3.17.2 allowed remote attackers to cause     a denial of service (system crash) via a malformed     ASCONF chunk, related to net/sctp/sm_make_chunk.c and     net/sctp/sm_statefuns.c (bnc#902346).

  - CVE-2014-7841: The sctp_process_param function in     net/sctp/sm_make_chunk.c in the SCTP implementation in     the Linux kernel before 3.17.4, when ASCONF is used,     allowed remote attackers to cause a denial of service     (NULL pointer dereference and system crash) via a     malformed INIT chunk (bnc#905100).

  - CVE-2014-8709: The ieee80211_fragment function in     net/mac80211/tx.c in the Linux kernel before 3.13.5 did     not properly maintain a certain tail pointer, which     allowed remote attackers to obtain sensitive cleartext     information by reading packets (bnc#904700).

  - CVE-2013-7263: The Linux kernel before 3.12.4 updated     certain length values before ensuring that associated     data structures have been initialized, which allowed     local users to obtain sensitive information from kernel     stack memory via a (1) recvfrom, (2) recvmmsg, or (3)     recvmsg system call, related to net/ipv4/ping.c,     net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and     net/ipv6/udp.c (bnc#857643).

  - CVE-2012-6657: The sock_setsockopt function in     net/core/sock.c in the Linux kernel before 3.5.7 did not     ensure that a keepalive action is associated with a     stream socket, which allowed local users to cause a     denial of service (system crash) by leveraging the     ability to create a raw socket (bnc#896779).

  - CVE-2014-3185: Multiple buffer overflows in the     command_port_read_callback function in     drivers/usb/serial/whiteheat.c in the Whiteheat USB     Serial Driver in the Linux kernel before 3.16.2 allowed     physically proximate attackers to execute arbitrary code     or cause a denial of service (memory corruption and     system crash) via a crafted device that provides a large     amount of (1) EHCI or (2) XHCI data associated with a     bulk response (bnc#896391).

  - CVE-2014-3184: The report_fixup functions in the HID     subsystem in the Linux kernel before 3.16.2 might allow     physically proximate attackers to cause a denial of     service (out-of-bounds write) via a crafted device that     provides a small report descriptor, related to (1)     drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3)     drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c,     (5) drivers/hid/hid-petalynx.c, and (6)     drivers/hid/hid-sunplus.c (bnc#896390).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 Service Pack 2 LTSS kernel has been updated to fix security issues on kernels on the x86_64 architecture.

The following security bugs have been fixed :

  - CVE-2012-4398: The __request_module function in     kernel/kmod.c in the Linux kernel before 3.4 did not set     a certain killable attribute, which allowed local users     to cause a denial of service (memory consumption) via a     crafted application (bnc#779488).

  - CVE-2013-2893: The Human Interface Device (HID)     subsystem in the Linux kernel through 3.11, when     CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or     CONFIG_LOGIWHEELS_FF is enabled, allowed physically     proximate attackers to cause a denial of service     (heap-based out-of-bounds write) via a crafted device,     related to (1) drivers/hid/hid-lgff.c, (2)     drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c     (bnc#835839).

  - CVE-2013-2897: Multiple array index errors in     drivers/hid/hid-multitouch.c in the Human Interface     Device (HID) subsystem in the Linux kernel through 3.11,     when CONFIG_HID_MULTITOUCH is enabled, allowed     physically proximate attackers to cause a denial of     service (heap memory corruption, or NULL pointer     dereference and OOPS) via a crafted device (bnc#835839).

  - CVE-2013-2899: drivers/hid/hid-picolcd_core.c in the     Human Interface Device (HID) subsystem in the Linux     kernel through 3.11, when CONFIG_HID_PICOLCD is enabled,     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and OOPS) via a     crafted device (bnc#835839).

  - CVE-2013-2929: The Linux kernel before 3.12.2 did not     properly use the get_dumpable function, which allowed     local users to bypass intended ptrace restrictions or     obtain sensitive information from IA64 scratch registers     via a crafted application, related to kernel/ptrace.c     and arch/ia64/include/asm/processor.h (bnc#847652).

  - CVE-2013-7263: The Linux kernel before 3.12.4 updates     certain length values before ensuring that associated     data structures have been initialized, which allowed     local users to obtain sensitive information from kernel     stack memory via a (1) recvfrom, (2) recvmmsg, or (3)     recvmsg system call, related to net/ipv4/ping.c,     net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and     net/ipv6/udp.c (bnc#857643).

  - CVE-2014-0131: Use-after-free vulnerability in the     skb_segment function in net/core/skbuff.c in the Linux     kernel through 3.13.6 allowed attackers to obtain     sensitive information from kernel memory by leveraging     the absence of a certain orphaning operation     (bnc#867723).

  - CVE-2014-0181: The Netlink implementation in the Linux     kernel through 3.14.1 did not provide a mechanism for     authorizing socket operations based on the opener of a     socket, which allowed local users to bypass intended     access restrictions and modify network configurations by     using a Netlink socket for the (1) stdout or (2) stderr     of a setuid program (bnc#875051).

  - CVE-2014-2309: The ip6_route_add function in     net/ipv6/route.c in the Linux kernel through 3.13.6 did     not properly count the addition of routes, which allowed     remote attackers to cause a denial of service (memory     consumption) via a flood of ICMPv6 Router Advertisement     packets (bnc#867531).

  - CVE-2014-3181: Multiple stack-based buffer overflows in     the magicmouse_raw_event function in     drivers/hid/hid-magicmouse.c in the Magic Mouse HID     driver in the Linux kernel through 3.16.3 allowed     physically proximate attackers to cause a denial of     service (system crash) or possibly execute arbitrary     code via a crafted device that provides a large amount     of (1) EHCI or (2) XHCI data associated with an event     (bnc#896382).

  - CVE-2014-3184: The report_fixup functions in the HID     subsystem in the Linux kernel before 3.16.2 might have     allowed physically proximate attackers to cause a denial     of service (out-of-bounds write) via a crafted device     that provides a small report descriptor, related to (1)     drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3)     drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c,     (5) drivers/hid/hid-petalynx.c, and (6)     drivers/hid/hid-sunplus.c (bnc#896390).

  - CVE-2014-3185: Multiple buffer overflows in the     command_port_read_callback function in     drivers/usb/serial/whiteheat.c in the Whiteheat USB     Serial Driver in the Linux kernel before 3.16.2 allowed     physically proximate attackers to execute arbitrary code     or cause a denial of service (memory corruption and     system crash) via a crafted device that provides a large     amount of (1) EHCI or (2) XHCI data associated with a     bulk response (bnc#896391).

  - CVE-2014-3186: Buffer overflow in the picolcd_raw_event     function in devices/hid/hid-picolcd_core.c in the     PicoLCD HID device driver in the Linux kernel through     3.16.3, as used in Android on Nexus 7 devices, allowed     physically proximate attackers to cause a denial of     service (system crash) or possibly execute arbitrary     code via a crafted device that sends a large report     (bnc#896392).

  - CVE-2014-3601: The kvm_iommu_map_pages function in     virt/kvm/iommu.c in the Linux kernel through 3.16.1     miscalculates the number of pages during the handling of     a mapping failure, which allowed guest OS users to (1)     cause a denial of service (host OS memory corruption) or     possibly have unspecified other impact by triggering a     large gfn value or (2) cause a denial of service (host     OS memory consumption) by triggering a small gfn value     that leads to permanently pinned pages (bnc#892782).

  - CVE-2014-3610: The WRMSR processing functionality in the     KVM subsystem in the Linux kernel through 3.17.2 did not     properly handle the writing of a non-canonical address     to a model-specific register, which allowed guest OS     users to cause a denial of service (host OS crash) by     leveraging guest OS privileges, related to the     wrmsr_interception function in arch/x86/kvm/svm.c and     the handle_wrmsr function in arch/x86/kvm/vmx.c     (bnc#899192).

  - CVE-2014-3646: arch/x86/kvm/vmx.c in the KVM subsystem     in the Linux kernel through 3.17.2 did not have an exit     handler for the INVVPID instruction, which allowed guest     OS users to cause a denial of service (guest OS crash)     via a crafted application (bnc#899192).

  - CVE-2014-3647: arch/x86/kvm/emulate.c in the KVM     subsystem in the Linux kernel through 3.17.2 did not     properly perform RIP changes, which allowed guest OS     users to cause a denial of service (guest OS crash) via     a crafted application (bnc#899192).

  - CVE-2014-3673: The SCTP implementation in the Linux     kernel through 3.17.2 allowed remote attackers to cause     a denial of service (system crash) via a malformed     ASCONF chunk, related to net/sctp/sm_make_chunk.c and     net/sctp/sm_statefuns.c (bnc#902346).

  - CVE-2014-3687: The sctp_assoc_lookup_asconf_ack function     in net/sctp/associola.c in the SCTP implementation in     the Linux kernel through 3.17.2 allowed remote attackers     to cause a denial of service (panic) via duplicate     ASCONF chunks that trigger an incorrect uncork within     the side-effect interpreter (bnc#902349).

  - CVE-2014-3688: The SCTP implementation in the Linux     kernel before 3.17.4 allowed remote attackers to cause a     denial of service (memory consumption) by triggering a     large number of chunks in an associations output queue,     as demonstrated by ASCONF probes, related to     net/sctp/inqueue.c and net/sctp/sm_statefuns.c     (bnc#902351).

  - CVE-2014-3690: arch/x86/kvm/vmx.c in the KVM subsystem     in the Linux kernel before 3.17.2 on Intel processors     did not ensure that the value in the CR4 control     register remains the same after a VM entry, which     allowed host OS users to kill arbitrary processes or     cause a denial of service (system disruption) by     leveraging /dev/kvm access, as demonstrated by     PR_SET_TSC prctl calls within a modified copy of QEMU     (bnc#902232).

  - CVE-2014-4608: Multiple integer overflows in the     lzo1x_decompress_safe function in     lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor     in the Linux kernel before 3.15.2 allowed     context-dependent attackers to cause a denial of service     (memory corruption) via a crafted Literal Run     (bnc#883948).

  - CVE-2014-4943: The PPPoL2TP feature in     net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6     allowed local users to gain privileges by leveraging     data-structure differences between an l2tp socket and an     inet socket (bnc#887082).

  - CVE-2014-5471: Stack consumption vulnerability in the     parse_rock_ridge_inode_internal function in     fs/isofs/rock.c in the Linux kernel through 3.16.1     allowed local users to cause a denial of service     (uncontrolled recursion, and system crash or reboot) via     a crafted iso9660 image with a CL entry referring to a     directory entry that has a CL entry (bnc#892490).

  - CVE-2014-5472: The parse_rock_ridge_inode_internal     function in fs/isofs/rock.c in the Linux kernel through     3.16.1 allowed local users to cause a denial of service     (unkillable mount process) via a crafted iso9660 image     with a self-referential CL entry (bnc#892490).

  - CVE-2014-7826: kernel/trace/trace_syscalls.c in the     Linux kernel through 3.17.2 did not properly handle     private syscall numbers during use of the ftrace     subsystem, which allowed local users to gain privileges     or cause a denial of service (invalid pointer     dereference) via a crafted application (bnc#904013).

  - CVE-2014-7841: The sctp_process_param function in     net/sctp/sm_make_chunk.c in the SCTP implementation in     the Linux kernel before 3.17.4, when ASCONF is used,     allowed remote attackers to cause a denial of service     (NULL pointer dereference and system crash) via a     malformed INIT chunk (bnc#905100).

  - CVE-2014-7842: Race condition in arch/x86/kvm/x86.c in     the Linux kernel before 3.17.4 allowed guest OS users to     cause a denial of service (guest OS crash) via a crafted     application that performs an MMIO transaction or a PIO     transaction to trigger a guest userspace emulation error     report, a similar issue to CVE-2010-5313 (bnc#905312).

  - CVE-2014-8134: The paravirt_ops_setup function in     arch/x86/kernel/kvm.c in the Linux kernel through 3.18     uses an improper paravirt_enabled setting for KVM guest     kernels, which made it easier for guest OS users to     bypass the ASLR protection mechanism via a crafted     application that reads a 16-bit value (bnc#909078).

  - CVE-2014-8369: The kvm_iommu_map_pages function in     virt/kvm/iommu.c in the Linux kernel through 3.17.2     miscalculates the number of pages during the handling of     a mapping failure, which allowed guest OS users to cause     a denial of service (host OS page unpinning) or possibly     have unspecified other impact by leveraging guest OS     privileges. NOTE: this vulnerability exists because of     an incorrect fix for CVE-2014-3601 (bnc#902675).

  - CVE-2014-8559: The d_walk function in fs/dcache.c in the     Linux kernel through 3.17.2 did not properly maintain     the semantics of rename_lock, which allowed local users     to cause a denial of service (deadlock and system hang)     via a crafted application (bnc#903640).

  - CVE-2014-8709: The ieee80211_fragment function in     net/mac80211/tx.c in the Linux kernel before 3.13.5 did     not properly maintain a certain tail pointer, which     allowed remote attackers to obtain sensitive cleartext     information by reading packets (bnc#904700).

  - CVE-2014-9584: The parse_rock_ridge_inode_internal     function in fs/isofs/rock.c in the Linux kernel before     3.18.2 did not validate a length value in the Extensions     Reference (ER) System Use Field, which allowed local     users to obtain sensitive information from kernel memory     via a crafted iso9660 image (bnc#912654).

  - CVE-2014-9585: The vdso_addr function in     arch/x86/vdso/vma.c in the Linux kernel through 3.18.2     did not properly choose memory locations for the vDSO     area, which made it easier for local users to bypass the     ASLR protection mechanism by guessing a location at the     end of a PMD (bnc#912705).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The 3.14.27 stable update contains a number of important fixes across the tree.\nThe 3.14.26 update contains a number of important fixes across the tree\nThe 3.14.25 stable update contains a number of important fixes across the tree.\nThe 3.14.24 stable update contains a number of important fixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
91643	Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20160510)	Nessus	Scientific Linux Local Security Checks	high
91210	Oracle Linux 6 : kernel (ELSA-2016-0855)	Nessus	Oracle Linux Local Security Checks	high
91170	CentOS 6 : kernel (CESA-2016:0855)	Nessus	CentOS Local Security Checks	high
91077	RHEL 6 : kernel (RHSA-2016:0855)	Nessus	Red Hat Local Security Checks	high
90019	OracleVM 3.2 : kernel-uek (OVMSA-2016-0037)	Nessus	OracleVM Local Security Checks	critical
88066	F5 Networks BIG-IP : Linux kernel vulnerabilities (K62700573)	Nessus	F5 Networks Local Security Checks	medium
87835	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2016-3502)	Nessus	Oracle Linux Local Security Checks	medium
87559	Scientific Linux Security Update : kernel on SL7.x x86_64 (20151119)	Nessus	Scientific Linux Local Security Checks	medium
87135	CentOS 7 : kernel (CESA-2015:2152)	Nessus	CentOS Local Security Checks	high
87090	Oracle Linux 7 : kernel (ELSA-2015-2152)	Nessus	Oracle Linux Local Security Checks	high
86972	RHEL 7 : kernel (RHSA-2015:2152)	Nessus	Red Hat Local Security Checks	high
83708	SUSE SLES11 Security Update : kernel (SUSE-SU-2015:0652-1)	Nessus	SuSE Local Security Checks	high
83696	SUSE SLES11 Security Update : kernel (SUSE-SU-2015:0481-1)	Nessus	SuSE Local Security Checks	high
82020	SuSE 11.3 Security Update : Linux Kernel (SAT Patch Numbers 10412 / 10415 / 10416)	Nessus	SuSE Local Security Checks	high
80376	Fedora 19 : kernel-3.14.27-100.fc19 (2014-17244)	Nessus	Fedora Local Security Checks	medium

CVE-2010-5313

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

critical

medium

medium

medium

high

high

high

high

high

high

medium