http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a5598bd9c087dc0efc250a5221e5d0e6f584ee88

SUSE-SU-2013:1182

openSUSE-SU-2013:1187

openSUSE-SU-2013:1971

MDVSA-2013:176

[oss-security] 20130414 Linux kernel: more net info leak fixes for v3.9

USN-1837-1

https://github.com/torvalds/linux/commit/a5598bd9c087dc0efc250a5221e5d0e6f584ee88

[linux-kernel] 20130414 Linux 3.9-rc7

The SUSE Linux Enterprise Server 10 Service Pack 4 LTSS kernel has been updated to fix various security issues and several bugs.

The following security issues have been addressed :

CVE-2011-2492: The bluetooth subsystem in the Linux kernel before 3.0-rc4 does not properly initialize certain data structures, which allows local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c. (bnc#702014)

CVE-2011-2494: kernel/taskstats.c in the Linux kernel before 3.1 allows local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another user's password. (bnc#703156)

CVE-2012-6537: net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability.
(bnc#809889)

CVE-2012-6539: The dev_ifconf function in net/socket.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809891)

CVE-2012-6540: The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 3.6 does not initialize a certain structure for IP_VS_SO_GET_TIMEOUT commands, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809892)

CVE-2012-6541: The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809893)

CVE-2012-6542: The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel before 3.6 has an incorrect return value in certain circumstances, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that leverages an uninitialized pointer argument. (bnc#809894)

CVE-2012-6544: The Bluetooth protocol stack in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation. (bnc#809898)

CVE-2012-6545: The Bluetooth RFCOMM implementation in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application.
(bnc#809899)

CVE-2012-6546: The ATM implementation in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809900)

CVE-2012-6547: The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809901)

CVE-2012-6549: The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. (bnc#809903)

CVE-2013-0343: The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.8 does not properly handle problems with the generation of IPv6 temporary addresses, which allows remote attackers to cause a denial of service (excessive retries and address-generation outage), and consequently obtain sensitive information, via ICMPv6 Router Advertisement (RA) messages. (bnc#805226)

CVE-2013-0914: The flush_signal_handlers function in kernel/signal.c in the Linux kernel before 3.8.4 preserves the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call. (bnc#808827)

CVE-2013-1827: net/dccp/ccid.h in the Linux kernel before 3.5.4 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a certain (1) sender or (2) receiver getsockopt call.
(bnc#811354)

CVE-2013-2141: The do_tkill function in kernel/signal.c in the Linux kernel before 3.8.9 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call.
(bnc#823267)

CVE-2013-2164: The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive. (bnc#824295)

CVE-2013-2206: The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel before 3.8.5 does not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic. (bnc#826102)

CVE-2013-2232: The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface. (bnc#827750)

CVE-2013-2234: The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket.
(bnc#827749)

CVE-2013-2237: The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel before 3.9 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket. (bnc#828119)

CVE-2013-2888: Multiple array index errors in drivers/hid/hid-core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11 allow physically proximate attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted device that provides an invalid Report ID. (bnc#835839)

CVE-2013-2893: The Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device, related to (1) drivers/hid/hid-lgff.c, (2) drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c.
(bnc#835839)

CVE-2013-2897: Multiple array index errors in drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate attackers to cause a denial of service (heap memory corruption, or NULL pointer dereference and OOPS) via a crafted device. (bnc#835839)

CVE-2013-3222: The vcc_recvmsg function in net/atm/common.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668)

CVE-2013-3223: The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
(bnc#816668)

CVE-2013-3224: The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668)

CVE-2013-3228: The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
(bnc#816668)

CVE-2013-3229: The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
(bnc#816668)

CVE-2013-3231: The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
(bnc#816668)

CVE-2013-3232: The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
(bnc#816668)

CVE-2013-3234: The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
(bnc#816668)

CVE-2013-3235: net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure and a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668)

CVE-2013-4162: The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 implementation in the Linux kernel through 3.10.3 makes an incorrect function call for pending data, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call.
(bnc#831058)

CVE-2013-4387: net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not properly determine the need for UDP Fragmentation Offload (UFO) processing of small packets after the UFO queueing of a large packet, which allows remote attackers to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via network traffic that triggers a large response packet. (bnc#843430)

CVE-2013-4470: The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c.
(bnc#847672)

CVE-2013-4483: The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of service (memory consumption or system crash) via a crafted application. (bnc#848321)

CVE-2013-4588: Multiple stack-based buffer overflows in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 2.6.33, when CONFIG_IP_VS is used, allow local users to gain privileges by leveraging the CAP_NET_ADMIN capability for (1) a getsockopt system call, related to the do_ip_vs_get_ctl function, or (2) a setsockopt system call, related to the do_ip_vs_set_ctl function. (bnc#851095)

CVE-2013-6383: The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call. (bnc#852558)

CVE-2014-1444: The fst_get_iface function in drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call. (bnc#858869)

CVE-2014-1445: The wanxl_ioctl function in drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an ioctl call. (bnc#858870)

CVE-2014-1446: The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call. (bnc#858872)

Also the following non-security bugs have been fixed :

  - kernel: Remove newline from execve audit log     (bnc#827855).

  - kernel: sclp console hangs (bnc#830344, LTC#95711).

  - kernel: fix flush_tlb_kernel_range (bnc#825052,     LTC#94745). kernel: lost IPIs on CPU hotplug     (bnc#825052, LTC#94784).

    sctp: deal with multiple COOKIE_ECHO chunks     (bnc#826102).

  - net: Uninline kfree_skb and allow NULL argument     (bnc#853501).

  - netback: don't disconnect frontend when seeing oversize     packet. netfront: reduce gso_max_size to account for max     TCP header.

    fs/dcache: Avoid race in d_splice_alias and vfs_rmdir     (bnc#845028).

  - fs/proc: proc_task_lookup() fix memory pinning     (bnc#827362 bnc#849765).

  - blkdev_max_block: make private to fs/buffer.c     (bnc#820338).

  - vfs: avoid 'attempt to access beyond end of device'     warnings (bnc#820338).

  - vfs: fix O_DIRECT read past end of block device     (bnc#820338).

  - cifs: don't use CIFSGetSrvInodeNumber in     is_path_accessible (bnc#832603).

  - xfs: Fix kABI breakage caused by AIL list transformation     (bnc#806219).

  - xfs: Replace custom AIL linked-list code with struct     list_head (bnc#806219).

  - reiserfs: fix problems with chowning setuid file w/     xattrs (bnc#790920).

  - reiserfs: fix spurious multiple-fill in     reiserfs_readdir_dentry (bnc#822722). jbd: Fix forever     sleeping process in do_get_write_access() (bnc#827983).

    HID: check for NULL field when setting values     (bnc#835839).

  - HID: provide a helper for validating hid reports     (bnc#835839).

  - bcm43xx: netlink deadlock fix (bnc#850241).

  - bnx2: Close device if tx_timeout reset fails     (bnc#857597).

  - xfrm: invalidate dst on policy insertion/deletion     (bnc#842239).

  - xfrm: prevent ipcomp scratch buffer race condition     (bnc#842239).

  - lpfc: Update to 8.2.0.106 (bnc#798050).

  - Make lpfc task management timeout configurable     (bnc#798050).

  - dpt_i2o: Remove DPTI_STATE_IOCTL (bnc#798050).

  - dpt_i2o: return SCSI_MLQUEUE_HOST_BUSY when in reset     (bnc#798050).

  - advansys: Remove 'last_reset' references (bnc#798050).

  - tmscsim: Move 'last_reset' into host structure     (bnc#798050). dc395: Move 'last_reset' into internal     host structure (bnc#798050).

    scsi: remove check for 'resetting' (bnc#798050).

  - scsi: Allow error handling timeout to be specified     (bnc#798050).

  - scsi: Eliminate error handler overload of the SCSI     serial number (bnc#798050).

  - scsi: Reduce sequential pointer derefs in scsi_error.c     and reduce size as well (bnc#798050).

  - scsi: Reduce error recovery time by reducing use of TURs     (bnc#798050).

  - scsi: fix eh wakeup (scsi_schedule_eh vs     scsi_restart_operations)

  - scsi: cleanup setting task state in scsi_error_handler()     (bnc#798050).

  - scsi: Add 'eh_deadline' to limit SCSI EH runtime     (bnc#798050).

  - scsi: Fixup compilation warning (bnc#798050).

  - scsi: fc class: fix scanning when devs are offline     (bnc#798050).

  - scsi: Warn on invalid command completion (bnc#798050).

  - scsi: Retry failfast commands after EH (bnc#798050).

  - scsi: kABI fixes (bnc#798050).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise Server 10 SP3 LTSS kernel received a roll up update to fix lots of moderate security issues and several bugs.

The Following security issues have been fixed :

CVE-2012-4530: The load_script function in fs/binfmt_script.c in the Linux kernel did not properly handle recursion, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE-2011-2494: kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password.

CVE-2013-2234: The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel did not initialize certain structure members, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket.

CVE-2013-2237: The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket.

CVE-2013-2147: The HP Smart Array controller disk-array driver and Compaq SMART2 controller disk-array driver in the Linux kernel did not initialize certain data structures, which allowed local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device, related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c.

CVE-2013-2141: The do_tkill function in kernel/signal.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call.

CVE-2013-0160: The Linux kernel allowed local users to obtain sensitive information about keystroke timing by using the inotify API on the /dev/ptmx device.

CVE-2012-6537: net/xfrm/xfrm_user.c in the Linux kernel did not initialize certain structures, which allowed local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability.

CVE-2013-3222: The vcc_recvmsg function in net/atm/common.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3223: The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3224: The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel did not properly initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3228: The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3229: The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3231: The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3232: The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3234: The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3235: net/tipc/socket.c in the Linux kernel did not initialize a certain data structure and a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-1827: net/dccp/ccid.h in the Linux kernel allowed local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a certain (1) sender or (2) receiver getsockopt call.

CVE-2012-6549: The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory via a crafted application.

CVE-2012-6547: The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE-2012-6546: The ATM implementation in the Linux kernel did not initialize certain structures, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE-2012-6544: The Bluetooth protocol stack in the Linux kernel did not properly initialize certain structures, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation.

CVE-2012-6545: The Bluetooth RFCOMM implementation in the Linux kernel did not properly initialize certain structures, which allowed local users to obtain sensitive information from kernel memory via a crafted application.

CVE-2012-6542: The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel had an incorrect return value in certain circumstances, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application that leverages an uninitialized pointer argument.

CVE-2012-6541: The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE-2012-6540: The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel did not initialize a certain structure for IP_VS_SO_GET_TIMEOUT commands, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE-2013-0914: The flush_signal_handlers function in kernel/signal.c in the Linux kernel preserved the value of the sa_restorer field across an exec operation, which made it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call.

CVE-2011-2492: The bluetooth subsystem in the Linux kernel did not properly initialize certain data structures, which allowed local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c.

CVE-2013-2206: The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel did not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic.

CVE-2012-6539: The dev_ifconf function in net/socket.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE-2013-2232: The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel allowed local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface.

CVE-2013-2164: The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive.

CVE-2012-4444: The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel allowed remote attackers to bypass intended network restrictions via overlapping IPv6 fragments.

CVE-2013-1928: The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linux kernel on unspecified architectures lacked a certain error check, which might have allowed local users to obtain sensitive information from kernel stack memory via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a /dev/dvb device.

CVE-2013-0871: Race condition in the ptrace functionality in the Linux kernel allowed local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by ptrace_death.

CVE-2013-0268: The msr_open function in arch/x86/kernel/msr.c in the Linux kernel allowed local users to bypass intended capability restrictions by executing a crafted application as root, as demonstrated by msr32.c.

CVE-2012-3510: Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command.

CVE-2011-4110: The user_update function in security/keys/user_defined.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and 'updating a negative key into a fully instantiated key.'

CVE-2012-2136: The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel did not properly validate a certain length value, which allowed local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device.

CVE-2009-4020: Stack-based buffer overflow in the hfs subsystem in the Linux kernel allowed remote attackers to have an unspecified impact via a crafted Hierarchical File System (HFS) filesystem, related to the hfs_readdir function in fs/hfs/dir.c.

CVE-2011-2928: The befs_follow_link function in fs/befs/linuxvfs.c in the Linux kernel did not validate the length attribute of long symlinks, which allowed local users to cause a denial of service (incorrect pointer dereference and OOPS) by accessing a long symlink on a malformed Be filesystem.

CVE-2011-4077: Buffer overflow in the xfs_readlink function in fs/xfs/xfs_vnodeops.c in XFS in the Linux kernel, when CONFIG_XFS_DEBUG is disabled, allowed local users to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code via an XFS image containing a symbolic link with a long pathname.

CVE-2011-4324: The encode_share_access function in fs/nfs/nfs4xdr.c in the Linux kernel allowed local users to cause a denial of service (BUG and system crash) by using the mknod system call with a pathname on an NFSv4 filesystem.

CVE-2011-4330: Stack-based buffer overflow in the hfs_mac2asc function in fs/hfs/trans.c in the Linux kernel allowed local users to cause a denial of service (crash) and possibly execute arbitrary code via an HFS image with a crafted len field.

CVE-2011-1172: net/ipv6/netfilter/ip6_tables.c in the IPv6 implementation in the Linux kernel did not place the expected 0 character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.

CVE-2011-2525: The qdisc_notify function in net/sched/sch_api.c in the Linux kernel did not prevent tc_fill_qdisc function calls referencing builtin (aka CQ_F_BUILTIN) Qdisc structures, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a crafted call.

CVE-2011-2699: The IPv6 implementation in the Linux kernel did not generate Fragment Identification values separately for each destination, which made it easier for remote attackers to cause a denial of service (disrupted networking) by predicting these values and sending crafted packets.

CVE-2011-1171: net/ipv4/netfilter/ip_tables.c in the IPv4 implementation in the Linux kernel did not place the expected 0 character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.

CVE-2011-1170: net/ipv4/netfilter/arp_tables.c in the IPv4 implementation in the Linux kernel did not place the expected 0 character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.

CVE-2011-3209: The div_long_long_rem implementation in include/asm-x86/div64.h in the Linux kernel on the x86 platform allowed local users to cause a denial of service (Divide Error Fault and panic) via a clock_gettime system call.

CVE-2011-2213: The inet_diag_bc_audit function in net/ipv4/inet_diag.c in the Linux kernel did not properly audit INET_DIAG bytecode, which allowed local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message, as demonstrated by an INET_DIAG_BC_JMP instruction with a zero yes value, a different vulnerability than CVE-2010-3880.

CVE-2011-2534: Buffer overflow in the clusterip_proc_write function in net/ipv4/netfilter/ipt_CLUSTERIP.c in the Linux kernel might have allowed local users to cause a denial of service or have unspecified other impact via a crafted write operation, related to string data that lacks a terminating 0 character.

CVE-2011-2699: The IPv6 implementation in the Linux kernel did not generate Fragment Identification values separately for each destination, which made it easier for remote attackers to cause a denial of service (disrupted networking) by predicting these values and sending crafted packets.

CVE-2011-2203: The hfs_find_init function in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and Oops) by mounting an HFS file system with a malformed MDB extent record.

CVE-2009-4067: A USB string descriptor overflow in the auerwald USB driver was fixed, which could be used by physically proximate attackers to cause a kernel crash.

CVE-2011-3363: The setup_cifs_sb function in fs/cifs/connect.c in the Linux kernel did not properly handle DFS referrals, which allowed remote CIFS servers to cause a denial of service (system crash) by placing a referral at the root of a share.

CVE-2011-2484: The add_del_listener function in kernel/taskstats.c in the Linux kernel did not prevent multiple registrations of exit handlers, which allowed local users to cause a denial of service (memory and CPU consumption), and bypass the OOM Killer, via a crafted application.

CVE-2011-4132: The cleanup_journal_tail function in the Journaling Block Device (JBD) functionality in the Linux kernel allowed local users to cause a denial of service (assertion error and kernel oops) via an ext3 or ext4 image with an 'invalid log first block value.'

CVE-2010-4249: The wait_for_unix_gc function in net/unix/garbage.c in the Linux kernel before 2.6.37-rc3-next-20101125 does not properly select times for garbage collection of inflight sockets, which allows local users to cause a denial of service (system hang) via crafted use of the socketpair and sendmsg system calls for SOCK_SEQPACKET sockets.

The following bugs have been fixed :

patches.fixes/allow-executables-larger-than-2GB.patch: Allow executables larger than 2GB (bnc#836856).

cio: prevent kernel panic after unexpected I/O interrupt (bnc#649868,LTC#67975).

  - cio: Add timeouts for internal IO     (bnc#701550,LTC#72691). kernel: first time swap use     results in heavy swapping (bnc#701550,LTC#73132).

    qla2xxx: Do not be so verbose on underrun detected

    patches.arch/i386-run-tsc-calibration-5-times.patch: Fix     the patch, the logic was wrong (bnc#537165, bnc#826551).

    xfs: Do not reclaim new inodes in xfs_sync_inodes()     (bnc#770980 bnc#811752).

    kbuild: Fix gcc -x syntax (bnc#773831).

    e1000e: stop cleaning when we reach tx_ring->next_to_use     (bnc#762825).

    Fix race condition about network device name allocation     (bnc#747576).

    kdump: bootmem map over crash reserved region     (bnc#749168, bnc#722400, bnc#742881).

    tcp: fix race condition leading to premature termination     of sockets in FIN_WAIT2 state and connection being reset     (bnc#745760)

    tcp: drop SYN+FIN messages (bnc#765102).

    net/linkwatch: Handle jiffies wrap-around (bnc#740131).

    patches.fixes/vm-dirty-bytes: Provide     /proc/sys/vm/dirty_{background_,}bytes for tuning     (bnc#727597).

    ipmi: Fix deadlock in start_next_msg() (bnc#730749).

    cpu-hotplug: release workqueue_mutex properly on CPU     hot-remove (bnc#733407).

    libiscsi: handle init task failures (bnc#721351).

    NFS/sunrpc: do not use a credential with extra groups     (bnc#725878).

    x86_64: fix reboot hang when 'reboot=b' is passed to the     kernel (bnc#721267).

    nf_nat: do not add NAT extension for confirmed     conntracks (bnc#709213).

    xfs: fix memory reclaim recursion deadlock on locked     inode buffer (bnc#699355 bnc#699354 bnc#721830).

    ipmi: do not grab locks in run-to-completion mode     (bnc#717421).

    cciss: do not attempt to read from a write-only register     (bnc#683101).

    qla2xxx: Disable MSI-X initialization (bnc#693513).

    Allow balance_dirty_pages to help other filesystems     (bnc#709369).

  - nfs: fix congestion control (bnc#709369).

  - NFS: Separate metadata and page cache revalidation     mechanisms (bnc#709369). knfsd: nfsd4: fix laundromat     shutdown race (bnc#752556).

    x87: Do not synchronize TSCs across cores if they     already should be synchronized by HW (bnc#615418     bnc#609220).

    reiserfs: Fix int overflow while calculating free space     (bnc#795075).

    af_unix: limit recursion level (bnc#656153).

    bcm43xx: netlink deadlock fix (bnc#850241).

    jbd: Issue cache flush after checkpointing (bnc#731770).

    cfq: Fix infinite loop in cfq_preempt_queue()     (bnc#724692).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 Service Pack 3 kernel has been updated to 3.0.82 and to fix various bugs and security issues.

The following security issues have been fixed :

  - The chase_port function in drivers/usb/serial/io_ti.c in     the Linux kernel allowed local users to cause a denial     of service (NULL pointer dereference and system crash)     via an attempted /dev/ttyUSB read or write operation on     a disconnected Edgeport USB serial converter.
    (CVE-2013-1774)

  - Timing side channel on attacks were possible on     /dev/ptmx that could allow local attackers to predict     keypresses like e.g. passwords. This has been fixed     again by updating accessed/modified time on the pty     devices in resolution of 8 seconds, so that idle time     detection can still work. (CVE-2013-0160)

  - The vcc_recvmsg function in net/atm/common.c in the     Linux kernel did not initialize a certain length     variable, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3222)

  - The ax25_recvmsg function in net/ax25/af_ax25.c in the     Linux kernel did not initialize a certain data     structure, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3223)

  - The bt_sock_recvmsg function in     net/bluetooth/af_bluetooth.c in the Linux kernel did not     properly initialize a certain length variable, which     allowed local users to obtain sensitive information from     kernel stack memory via a crafted recvmsg or recvfrom     system call. (CVE-2013-3224)

  - The rfcomm_sock_recvmsg function in     net/bluetooth/rfcomm/sock.c in the Linux kernel did not     initialize a certain length variable, which allowed     local users to obtain sensitive information from kernel     stack memory via a crafted recvmsg or recvfrom system     call. (CVE-2013-3225)

  - The caif_seqpkt_recvmsg function in     net/caif/caif_socket.c in the Linux kernel did not     initialize a certain length variable, which allowed     local users to obtain sensitive information from kernel     stack memory via a crafted recvmsg or recvfrom system     call. (CVE-2013-3227)

  - The irda_recvmsg_dgram function in net/irda/af_irda.c in     the Linux kernel did not initialize a certain length     variable, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3228)

  - The iucv_sock_recvmsg function in net/iucv/af_iucv.c in     the Linux kernel did not initialize a certain length     variable, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3229)

  - The llc_ui_recvmsg function in net/llc/af_llc.c in the     Linux kernel did not initialize a certain length     variable, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3231)

  - The nr_recvmsg function in net/netrom/af_netrom.c in the     Linux kernel did not initialize a certain data     structure, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3232)

  - The rose_recvmsg function in net/rose/af_rose.c in the     Linux kernel did not initialize a certain data     structure, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3234)

  - net/tipc/socket.c in the Linux kernel did not initialize     a certain data structure and a certain length variable,     which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3235)

  - The crypto API in the Linux kernel did not initialize     certain length variables, which allowed local users to     obtain sensitive information from kernel stack memory     via a crafted recvmsg or recvfrom system call, related     to the hash_recvmsg function in crypto/algif_hash.c and     the skcipher_recvmsg function in     crypto/algif_skcipher.c. (CVE-2013-3076)

  - The scm_set_cred function in include/net/scm.h in the     Linux kernel used incorrect uid and gid values during     credentials passing, which allowed local users to gain     privileges via a crafted application. (CVE-2013-1979)

  - A kernel information leak via tkill/tgkill was fixed.
    The following non-security bugs have been fixed :

S/390 :

  - af_iucv: Missing man page (bnc#825037, LTC#94825).

  - iucv: fix kernel panic at reboot (bnc#825037,     LTC#93803).

  - kernel: lost IPIs on CPU hotplug (bnc#825037,     LTC#94784).

  - dasd: Add missing descriptions for dasd timeout messages     (bnc#825037, LTC#94762).

  - dasd: Fix hanging device after resume with internal     error 13 (bnc#825037, LTC#94554).

  - cio: Suppress 2nd path verification during resume     (bnc#825037, LTC#94554).

  - vmcp: Missing man page (bnc#825037, LTC#94453).

  - kernel: 3215 console crash (bnc#825037, LTC#94302).

  - netiucv: Hold rtnl between name allocation and device     registration. (bnc#824159)

  - s390/ftrace: fix mcount adjustment (bnc#809895). HyperV :

  - Drivers: hv: Fix a bug in get_vp_index().

  - hyperv: Fix a compiler warning in netvsc_send().

  - Tools: hv: Fix a checkpatch warning.

  - tools: hv: skip iso9660 mounts in hv_vss_daemon.

  - tools: hv: use FIFREEZE/FITHAW in hv_vss_daemon.

  - tools: hv: use getmntent in hv_vss_daemon.

  - Tools: hv: Fix a checkpatch warning.

  - tools: hv: fix checks for origin of netlink message in     hv_vss_daemon.

  - Tools: hv: fix warnings in hv_vss_daemon.

  - x86, hyperv: Handle Xen emulation of Hyper-V more     gracefully.

  - hyperv: Fix a kernel warning from     netvsc_linkstatus_callback().

  - Drivers: hv: balloon: make local functions static.

  - tools: hv: daemon should check type of received Netlink     msg.

  - tools: hv: daemon setsockopt should use options macros.

  - tools: hv: daemon should subscribe only to CN_KVP_IDX     group.

  - driver: hv: remove cast for kmalloc return value.

  - hyperv: use 3.4 as LIC version string (bnc#822431).
    BTRFS :

  - btrfs: flush delayed inodes if we are short on space.
    (bnc#801427)

  - btrfs: rework shrink_delalloc. (bnc#801427)

  - btrfs: fix our overcommit math. (bnc#801427)

  - btrfs: delay block group item insertion. (bnc#801427)

  - btrfs: remove bytes argument from do_chunk_alloc.
    (bnc#801427)

  - btrfs: run delayed refs first when out of space.
    (bnc#801427)

  - btrfs: do not commit instead of overcommitting.
    (bnc#801427)

  - btrfs: do not take inode delalloc mutex if we are a free     space inode. (bnc#801427)

  - btrfs: fix chunk allocation error handling. (bnc#801427)

  - btrfs: remove extent mapping if we fail to add chunk.
    (bnc#801427)

  - btrfs: do not overcommit if we do not have enough space     for global rsv. (bnc#801427)

  - btrfs: rework the overcommit logic to be based on the     total size. (bnc#801427)

  - btrfs: steal from global reserve if we are cleaning up     orphans. (bnc#801427)

  - btrfs: clear chunk_alloc flag on retryable failure.
    (bnc#801427)

  - btrfs: use reserved space for creating a snapshot.
    (bnc#801427)

  - btrfs: cleanup to make the function     btrfs_delalloc_reserve_metadata more logic. (bnc#801427)

  - btrfs: fix space leak when we fail to reserve metadata     space. (bnc#801427)

  - btrfs: fix space accounting for unlink and rename.
    (bnc#801427)

  - btrfs: allocate new chunks if the space is not enough     for global rsv. (bnc#801427)

  - btrfs: various abort cleanups. (bnc#812526 / bnc#801427)

  - btrfs: simplify unlink reservations (bnc#801427). XFS :

  - xfs: Move allocation stack switch up to xfs_bmapi.
    (bnc#815356)

  - xfs: introduce XFS_BMAPI_STACK_SWITCH. (bnc#815356)

  - xfs: zero allocation_args on the kernel stack.
    (bnc#815356)

  - xfs: fix debug_object WARN at xfs_alloc_vextent().
    (bnc#815356)

  - xfs: do not defer metadata allocation to the workqueue.
    (bnc#815356)

  - xfs: introduce an allocation workqueue. (bnc#815356)

  - xfs: fix race while discarding buffers [V4] (bnc#815356     (comment 36)).

  - xfs: Serialize file-extending direct IO. (bnc#818371)

  - xfs: Do not allocate new buffers on every call to
    _xfs_buf_find. (bnc#763968)

  - xfs: fix buffer lookup race on allocation failure     (bnc#763968). ALSA :

  - Fix VT1708 jack detection on SLEPOS machines.
    (bnc#813922)

  - ALSA: hda - Avoid choose same converter for unused pins.
    (bnc#826186)

  - ALSA: hda - Cache the MUX selection for generic HDMI.
    (bnc#826186)

  - ALSA: hda - Haswell converter power state D0 verify.
    (bnc#826186)

  - ALSA: hda - Do not take unresponsive D3 transition too     serious. (bnc#823597)

  - ALSA: hda - Introduce bit flags to     snd_hda_codec_read/write(). (bnc#823597)

  - ALSA: hda - Check CORB overflow. (bnc#823597)

  - ALSA: hda - Check validity of CORB/RIRB WP reads.
    (bnc#823597)

  - ALSA: hda - Fix system panic when DMA > 40 bits for     Nvidia audio controllers. (bnc#818465)

  - ALSA: hda - Add hint for suppressing lower cap for IDT     codecs. (bnc#812332)

  - ALSA: hda - Enable mic-mute LED on more HP laptops     (bnc#821859). Direct Rendering Manager (DRM) :

  - drm/i915: Add wait_for in init_ring_common. (bnc#813604)

  - drm/i915: Mark the ringbuffers as being in the GTT     domain. (bnc#813604)

  - drm/edid: Do not print messages regarding stereo or     csync by default. (bnc#821235)

  - drm/i915: force full modeset if the connector is in DPMS     OFF mode. (bnc#809975)

  - drm/i915/sdvo: Use &amp;intel_sdvo->ddc instead of     intel_sdvo->i2c for DDC. (bnc#808855)

  - drm/mm: fix dump table BUG. (bnc#808837)

  - drm/i915: Clear the stolen fb before enabling     (bnc#808015). XEN :

  - xen/netback: Update references. (bnc#823342)

  - xen: Check for insane amounts of requests on the ring.

  - Update Xen patches to 3.0.82.

  - netback: do not disconnect frontend when seeing oversize     packet.

  - netfront: reduce gso_max_size to account for max TCP     header.

  - netfront: fix kABI after 'reduce gso_max_size to account     for max TCP header'. Other :

  - x86, efi: retry ExitBootServices() on failure.
    (bnc#823386)

  - x86/efi: Fix dummy variable buffer allocation.
    (bnc#822080)

  - ext4: avoid hang when mounting non-journal filesystems     with orphan list. (bnc#817377)

  - mm: compaction: Scan PFN caching KABI workaround (Fix     KABI breakage (bnc#825657)).

  - autofs4 - fix get_next_positive_subdir(). (bnc#819523)

  - ocfs2: Add bits_wanted while calculating credits in     ocfs2_calc_extend_credits. (bnc#822077)

  - writeback: Avoid needless scanning of b_dirty list.
    (bnc#819018)

  - writeback: Do not sort b_io list only because of block     device inode. (bnc#819018)

  - re-enable io tracing. (bnc#785901)

  - pciehp: Corrected the old mismatching DMI strings.

  - SUNRPC: Prevent an rpc_task wakeup race. (bnc#825591)

  - tg3: Prevent system hang during repeated EEH errors.
    (bnc#822066)

  - scsi_dh_alua: multipath failover fails with error 15.
    (bnc#825696)

  - Do not switch camera on HP EB 8780. (bnc#797090)

  - Do not switch webcam for HP EB 8580w. (bnc#797090)

  - mm: fixup compilation error due to an asm write through     a const pointer. (bnc#823795)

  - do not switch cam port on HP EliteBook 840. (bnc#822164)

  - net/sunrpc: xpt_auth_cache should be ignored when     expired. (bnc#803320)

  - sunrpc/cache: ensure items removed from cache do not     have pending upcalls. (bnc#803320)

  - sunrpc/cache: remove races with queuing an upcall.
    (bnc#803320)

  - sunrpc/cache: use cache_fresh_unlocked consistently and     correctly. (bnc#803320)

  - KVM: x86: emulate movdqa. (bnc#821070)

  - KVM: x86: emulator: add support for vector alignment.
    (bnc#821070)

  - KVM: x86: emulator: expand decode flags to 64 bits.
    (bnc#821070)

  - xhci - correct comp_mode_recovery_timer on return from     hibernate. (bnc#808136)

  - md/raid10 enough fixes. (bnc#773837)

  - lib/Makefile: Fix oid_registry build dependency.
    (bnc#823223)

  - Update config files: disable IP_PNP. (bnc#822825)

  - Fix kABI breakage for addition of     snd_hda_bus.no_response_fallback. (bnc#823597)

  - Disable efi pstore by default. (bnc#804482 / bnc#820172)

  - md: Fix problem with GET_BITMAP_FILE returning wrong     status. (bnc#812974)

  - bnx2x: Fix bridged GSO for 57710/57711 chips.
    (bnc#819610)

  - USB: xHCI: override bogus bulk wMaxPacketSize values.
    (bnc#823082)

  - BTUSB: Add MediaTek bluetooth MT76x0E support.
    (bnc#797727 / bnc#822340)

  - qlge: Update version to 1.00.00.32. (bnc#819195)

  - qlge: Fix ethtool autoneg advertising. (bnc#819195)

  - qlge: Fix receive path to drop error frames.
    (bnc#819195)

  - qlge: remove NETIF_F_TSO6 flag. (bnc#819195)

  - remove init of dev->perm_addr in drivers. (bnc#819195)

  - drivers/net: fix up function prototypes after __dev*     removals. (bnc#819195)

  - qlge: remove __dev* attributes. (bnc#819195)

  - drivers: ethernet: qlogic: qlge_dbg.c: Fixed a coding     style issue. (bnc#819195)

  - cxgb4: Force uninitialized state if FW_ON_ADAPTER is <     FW_VERSION and we are the MASTER_PF. (bnc#809130)

  - USB: UHCI: fix for suspend of virtual HP controller.
    (bnc#817035)

  - timer_list: Convert timer list to be a proper seq_file.
    (bnc#818047)

  - timer_list: Split timer_list_show_tickdevices.
    (bnc#818047)

  - sched: Fix /proc/sched_debug failure on very very large     systems. (bnc#818047)

  - sched: Fix /proc/sched_stat failure on very very large     systems. (bnc#818047)

  - reiserfs: fix spurious multiple-fill in     reiserfs_readdir_dentry. (bnc#822722)

  - libfc: do not exch_done() on invalid sequence ptr.
    (bnc#810722)

  - netfilter: ip6t_LOG: fix logging of packet mark.
    (bnc#821930)

  - virtio_net: introduce VIRTIO_NET_HDR_F_DATA_VALID.
    (bnc#819655)

  - HWPOISON: fix misjudgement of page_action() for errors     on mlocked pages (Memory failure RAS (bnc#821799)).

  - HWPOISON: check dirty flag to match against clean page     (Memory failure RAS (bnc#821799)).

  - HWPOISON: change order of error_states elements (Memory     failure RAS (bnc#821799)).

  - mm: hwpoison: fix action_result() to print out     dirty/clean (Memory failure RAS (bnc#821799)).

  - mm: mmu_notifier: re-fix freed page still mapped in     secondary MMU. (bnc#821052)

  - Do not switch webcams in some HP ProBooks to XHCI.
    (bnc#805804)

  - Do not switch BT on HP ProBook 4340. (bnc#812281)

  - mm: memory_dev_init make sure nmi watchdog does not     trigger while registering memory sections. (bnc#804609,     bnc#820434)

  - mm: compaction: Restart compaction from near where it     left off

  - mm: compaction: cache if a pageblock was scanned and no     pages were isolated

  - mm: compaction: clear PG_migrate_skip based on     compaction and reclaim activity

  - mm: compaction: Scan PFN caching KABI workaround

  - mm: page_allocator: Remove first_pass guard

  - mm: vmscan: do not stall on writeback during memory     compaction Cache compaction restart points for faster     compaction cycles (bnc#816451)

Multiple vulnerabilities has been found and corrected in the Linux kernel :

The scm_set_cred function in include/net/scm.h in the Linux kernel before 3.8.11 uses incorrect uid and gid values during credentials passing, which allows local users to gain privileges via a crafted application. (CVE-2013-1979)

The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3232)

net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure and a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
(CVE-2013-3235)

The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3234)

The llcp_sock_recvmsg function in net/nfc/llcp/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable and a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3233)

The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3231)

The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
(CVE-2013-3229)

The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
(CVE-2013-3228)

The caif_seqpkt_recvmsg function in net/caif/caif_socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3227)

The rfcomm_sock_recvmsg function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3225)

The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3224)

The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3223)

The vcc_recvmsg function in net/atm/common.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3222)

Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certain Motorola build of Android 4.1.2 and other products, allows local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted /dev/graphics/fb0 mmap2 system calls, as demonstrated by the Motochopper pwn program.
(CVE-2013-2596)

arch/x86/kernel/cpu/perf_event_intel.c in the Linux kernel before 3.8.9, when the Performance Events Subsystem is enabled, specifies an incorrect bitmask, which allows local users to cause a denial of service (general protection fault and system crash) by attempting to set a reserved bit. (CVE-2013-2146)

The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call. (CVE-2013-2094)

The ioapic_read_indirect function in virt/kvm/ioapic.c in the Linux kernel through 3.8.4 does not properly handle a certain combination of invalid IOAPIC_REG_SELECT and IOAPIC_REG_WINDOW operations, which allows guest OS users to obtain sensitive information from host OS memory or cause a denial of service (host OS OOPS) via a crafted application. (CVE-2013-1798)

Use-after-free vulnerability in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 allows guest OS users to cause a denial of service (host OS memory corruption) or possibly have unspecified other impact via a crafted application that triggers use of a guest physical address (GPA) in (1) movable or (2) removable memory during an MSR_KVM_SYSTEM_TIME kvm_set_msr_common operation. (CVE-2013-1797)

The kvm_set_msr_common function in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 does not ensure a required time_page alignment during an MSR_KVM_SYSTEM_TIME operation, which allows guest OS users to cause a denial of service (buffer overflow and host OS memory corruption) or possibly have unspecified other impact via a crafted application. (CVE-2013-1796)

The do_tkill function in kernel/signal.c in the Linux kernel before 3.8.9 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call.
(CVE-2013-2141)

Heap-based buffer overflow in the tg3_read_vpd function in drivers/net/ethernet/broadcom/tg3.c in the Linux kernel before 3.8.6 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via crafted firmware that specifies a long string in the Vital Product Data (VPD) data structure. (CVE-2013-1929)

The main function in tools/hv/hv_kvp_daemon.c in hypervkvpd, as distributed in the Linux kernel before 3.8-rc1, allows local users to cause a denial of service (daemon exit) via a crafted application that sends a Netlink message. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-2669. (CVE-2012-5532)

The udf_encode_fh function in fs/udf/namei.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. (CVE-2012-6548)

The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. (CVE-2012-6549)

net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.
(CVE-2013-2634)

The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux kernel before 3.8.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (CVE-2013-2635)

fs/ext3/super.c in the Linux kernel before 3.8.4 uses incorrect arguments to functions in certain circumstances related to printk input, which allows local users to conduct format-string attacks and possibly gain privileges via a crafted application. (CVE-2013-1848)

The flush_signal_handlers function in kernel/signal.c in the Linux kernel before 3.8.4 preserves the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call. (CVE-2013-0914)

Heap-based buffer overflow in the wdm_in_callback function in drivers/usb/class/cdc-wdm.c in the Linux kernel before 3.8.4 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted cdc-wdm USB device. (CVE-2013-1860)

Race condition in the install_user_keyrings function in security/keys/process_keys.c in the Linux kernel before 3.8.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) via crafted keyctl system calls that trigger keyring operations in simultaneous threads. (CVE-2013-1792)

The report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect C library function for copying strings, which allows local users to obtain sensitive information from kernel stack memory by leveraging the CAP_NET_ADMIN capability.
(CVE-2013-2546)

The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 does not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability. (CVE-2013-2547)

The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect length value during a copy operation, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability. (CVE-2013-2548)

The translate_desc function in drivers/vhost/vhost.c in the Linux kernel before 3.7 does not properly handle cross-region descriptors, which allows guest OS users to obtain host OS privileges by leveraging KVM guest OS privileges. (CVE-2013-0311)

Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag.c in the Linux kernel before 3.7.10 allows local users to gain privileges via a large family value in a Netlink message. (CVE-2013-1763)

The __skb_recv_datagram function in net/core/datagram.c in the Linux kernel before 3.8 does not properly handle the MSG_PEEK flag with zero-length data, which allows local users to cause a denial of service (infinite loop and system hang) via a crafted application.
(CVE-2013-0290)

Use-after-free vulnerability in the shmem_remount_fs function in mm/shmem.c in the Linux kernel before 3.7.10 allows local users to gain privileges or cause a denial of service (system crash) by remounting a tmpfs filesystem without specifying a required mpol (aka mempolicy) mount option. (CVE-2013-1767)

The xen_iret function in arch/x86/xen/xen-asm_32.S in the Linux kernel before 3.7.9 on 32-bit Xen paravirt_ops platforms does not properly handle an invalid value in the DS segment register, which allows guest OS users to gain guest OS privileges via a crafted application.
(CVE-2013-0228)

Memory leak in drivers/net/xen-netback/netback.c in the Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (memory consumption) by triggering certain error conditions. (CVE-2013-0217)

The Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (loop) by triggering ring pointer corruption. (CVE-2013-0216)

The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (CVE-2012-6547)

The updated packages provides a solution for these security issues.

The SUSE Linux Enterprise 11 Service Pack 2 kernel has been updated to Linux kernel 3.0.80 which fixes various bugs and security issues.

The following security issues have been fixed :

  - Timing side channel on attacks were possible on     /dev/ptmx that could allow local attackers to predict     keypresses like e.g. passwords. This has been fixed     again by updating accessed/modified time on the pty     devices in resolution of 8 seconds, so that idle time     detection can still work. (CVE-2013-0160)

  - The vcc_recvmsg function in net/atm/common.c in the     Linux kernel did not initialize a certain length     variable, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3222)

  - The ax25_recvmsg function in net/ax25/af_ax25.c in the     Linux kernel did not initialize a certain data     structure, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3223)

  - The bt_sock_recvmsg function in     net/bluetooth/af_bluetooth.c in the Linux kernel did not     properly initialize a certain length variable, which     allowed local users to obtain sensitive information from     kernel stack memory via a crafted recvmsg or recvfrom     system call. (CVE-2013-3224)

  - The rfcomm_sock_recvmsg function in     net/bluetooth/rfcomm/sock.c in the Linux kernel did not     initialize a certain length variable, which allowed     local users to obtain sensitive information from kernel     stack memory via a crafted recvmsg or recvfrom system     call. (CVE-2013-3225)

  - The caif_seqpkt_recvmsg function in     net/caif/caif_socket.c in the Linux kernel did not     initialize a certain length variable, which allowed     local users to obtain sensitive information from kernel     stack memory via a crafted recvmsg or recvfrom system     call. (CVE-2013-3227)

  - The irda_recvmsg_dgram function in net/irda/af_irda.c in     the Linux kernel did not initialize a certain length     variable, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3228)

  - The iucv_sock_recvmsg function in net/iucv/af_iucv.c in     the Linux kernel did not initialize a certain length     variable, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3229)

  - The llc_ui_recvmsg function in net/llc/af_llc.c in the     Linux kernel did not initialize a certain length     variable, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3231)

  - The nr_recvmsg function in net/netrom/af_netrom.c in the     Linux kernel did not initialize a certain data     structure, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3232)

  - The rose_recvmsg function in net/rose/af_rose.c in the     Linux kernel did not initialize a certain data     structure, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3234)

  - net/tipc/socket.c in the Linux kernel did not initialize     a certain data structure and a certain length variable,     which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3235)

  - The crypto API in the Linux kernel did not initialize     certain length variables, which allowed local users to     obtain sensitive information from kernel stack memory     via a crafted recvmsg or recvfrom system call, related     to the hash_recvmsg function in crypto/algif_hash.c and     the skcipher_recvmsg function in     crypto/algif_skcipher.c. (CVE-2013-3076)

  - The scm_set_cred function in include/net/scm.h in the     Linux kernel used incorrect uid and gid values during     credentials passing, which allowed local users to gain     privileges via a crafted application. (CVE-2013-1979)

  - A kernel information leak via tkill/tgkill was fixed.
    The following bugs have been fixed :

  - reiserfs: fix spurious multiple-fill in     reiserfs_readdir_dentry. (bnc#822722)

  - libfc: do not exch_done() on invalid sequence ptr.
    (bnc#810722)

  - netfilter: ip6t_LOG: fix logging of packet mark.
    (bnc#821930)

  - hyperv: use 3.4 as LIC version string. (bnc#822431)

  - virtio_net: introduce VIRTIO_NET_HDR_F_DATA_VALID.
    (bnc#819655)

  - xen/netback: do not disconnect frontend when seeing     oversize packet.

  - xen/netfront: reduce gso_max_size to account for max TCP     header.

  - xen/netfront: fix kABI after 'reduce gso_max_size to     account for max TCP header'.

  - xfs: Fix kABI due to change in xfs_buf. (bnc#815356)

  - xfs: fix race while discarding buffers [V4] (bnc#815356     (comment 36)).

  - xfs: Serialize file-extending direct IO. (bnc#818371)

  - xhci: Do not switch webcams in some HP ProBooks to XHCI.
    (bnc#805804)

  - bluetooth: Do not switch BT on HP ProBook 4340.
    (bnc#812281)

  - s390/ftrace: fix mcount adjustment. (bnc#809895)

  - mm: memory_dev_init make sure nmi watchdog does not     trigger while registering memory sections. (bnc#804609,     bnc#820434)

  - patches.fixes/xfs-backward-alloc-fix.diff: xfs: Avoid     pathological backwards allocation. (bnc#805945)

  - mm: compaction: Restart compaction from near where it     left off

  - mm: compaction: cache if a pageblock was scanned and no     pages were isolated

  - mm: compaction: clear PG_migrate_skip based on     compaction and reclaim activity

  - mm: compaction: Scan PFN caching KABI workaround

  - mm: page_allocator: Remove first_pass guard

  - mm: vmscan: do not stall on writeback during memory     compaction Cache compaction restart points for faster     compaction cycles. (bnc#816451)

  - qlge: fix dma map leak when the last chunk is not     allocated. (bnc#819519)

  - SUNRPC: Get rid of the redundant xprt->shutdown bit     field. (bnc#800907)

  - SUNRPC: Ensure that we grab the XPRT_LOCK before calling     xprt_alloc_slot. (bnc#800907)

  - SUNRPC: Fix a UDP transport regression. (bnc#800907)

  - SUNRPC: Allow caller of rpc_sleep_on() to select     priority levels. (bnc#800907)

  - SUNRPC: Replace xprt->resend and xprt->sending with a     priority queue. (bnc#800907)

  - SUNRPC: Fix potential races in xprt_lock_write_next().
    (bnc#800907)

  - md: cannot re-add disks after recovery. (bnc#808647)

  - fs/xattr.c:getxattr(): improve handling of allocation     failures. (bnc#818053)

  - fs/xattr.c:listxattr(): fall back to vmalloc() if     kmalloc() failed. (bnc#818053)

  - fs/xattr.c:setxattr(): improve handling of allocation     failures. (bnc#818053)

  - fs/xattr.c: suppress page allocation failure warnings     from sys_listxattr(). (bnc#818053)

  - virtio-blk: Call revalidate_disk() upon online disk     resize. (bnc#817339)

  - usb-storage: CY7C68300A chips do not support Cypress     ATACB. (bnc#819295)

  - patches.kernel.org/patch-3.0.60-61: Update references     (add bnc#810580).

  - usb: Using correct way to clear usb3.0 devices remote     wakeup feature. (bnc#818516)

  - xhci: Fix TD size for isochronous URBs. (bnc#818514)

  - ALSA: hda - fixup D3 pin and right channel mute on     Haswell HDMI audio. (bnc#818798)

  - ALSA: hda - Apply pin-enablement workaround to all     Haswell HDMI codecs. (bnc#818798)

  - xfs: fallback to vmalloc for large buffers in     xfs_attrmulti_attr_get. (bnc#818053)

  - xfs: fallback to vmalloc for large buffers in     xfs_attrlist_by_handle. (bnc#818053)

  - xfs: xfs: fallback to vmalloc for large buffers in     xfs_compat_attrlist_by_handle. (bnc#818053)

  - xHCI: store rings type.

  - xhci: Fix hang on back-to-back Set TR Deq Ptr commands.

  - xHCI: check enqueue pointer advance into dequeue seg.

  - xHCI: store rings last segment and segment numbers.

  - xHCI: Allocate 2 segments for transfer ring.

  - xHCI: count free TRBs on transfer ring.

  - xHCI: factor out segments allocation and free function.

  - xHCI: update sg tablesize.

  - xHCI: set cycle state when allocate rings.

  - xhci: Reserve one command for USB3 LPM disable.

  - xHCI: dynamic ring expansion.

  - xhci: Do not warn on empty ring for suspended devices.

  - md/raid1: Do not release reference to device while     handling read error. (bnc#809122, bnc#814719)

  - rpm/mkspec: Stop generating the get_release_number.sh     file.

  - rpm/kernel-spec-macros: Properly handle KOTD release     numbers with .g suffix.

  - rpm/kernel-spec-macros: Drop the %release_num macro We     no longer put the -rcX tag into the release string.

  - rpm/kernel-*.spec.in, rpm/mkspec: Do not force the     '<RELEASE>' string in specfiles.

  - mm/mmap: check for RLIMIT_AS before unmapping.
    (bnc#818327)

  - mm: Fix add_page_wait_queue() to work for PG_Locked bit     waiters. (bnc#792584)

  - mm: Fix add_page_wait_queue() to work for PG_Locked bit     waiters. (bnc#792584)

  - bonding: only use primary address for ARP. (bnc#815444)

  - bonding: remove entries for master_ip and vlan_ip and     query devices instead. (bnc#815444)

  - mm: speedup in __early_pfn_to_nid. (bnc#810624)

  - TTY: fix atime/mtime regression. (bnc#815745)

  - sd_dif: problem with verify of type 1 protection     information (PI). (bnc#817010)

  - sched: harden rq rt usage accounting. (bnc#769685,     bnc#788590)

  - rcu: Avoid spurious RCU CPU stall warnings. (bnc#816586)

  - rcu: Dump local stack if cannot dump all CPUs stacks.
    (bnc#816586)

  - rcu: Fix detection of abruptly-ending stall.
    (bnc#816586)

  - rcu: Suppress NMI backtraces when stall ends before     dump. (bnc#816586)

  - Update Xen patches to 3.0.74.

  - btrfs: do not re-enter when allocating a chunk.

  - btrfs: save us a read_lock.

  - btrfs: Check CAP_DAC_READ_SEARCH for     BTRFS_IOC_INO_PATHS.

  - btrfs: remove unused fs_info from btrfs_decode_error().

  - btrfs: handle null fs_info in btrfs_panic().

  - btrfs: fix varargs in __btrfs_std_error.

  - btrfs: fix the race between bio and btrfs_stop_workers.

  - btrfs: fix NULL pointer after aborting a transaction.

  - btrfs: fix infinite loop when we abort on mount.

  - xfs: Do not allocate new buffers on every call to
    _xfs_buf_find. (bnc#763968)

  - xfs: fix buffer lookup race on allocation failure.
    (bnc#763968)

An information leak was discovered in the Linux kernel when inotify is used to monitor the /dev/ptmx device. A local user could exploit this flaw to discover keystroke timing and potentially discover sensitive information like password length. (CVE-2013-0160)

An information leak was discovered in the Linux kernel's tkill and tgkill system calls when used from compat processes. A local user could exploit this flaw to examine potentially sensitive kernel memory. (CVE-2013-2141)

A flaw was discovered in the Linux kernel's perf events subsystem for Intel Sandy Bridge and Ivy Bridge processors. A local user could exploit this flaw to cause a denial of service (system crash).
(CVE-2013-2146)

An information leak was discovered in the Linux kernel's crypto API. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3076)

An information leak was discovered in the Linux kernel's rcvmsg path for ATM (Asynchronous Transfer Mode). A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3222)

An information leak was discovered in the Linux kernel's recvmsg path for ax25 address family. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3223)

An information leak was discovered in the Linux kernel's recvmsg path for the bluetooth address family. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3224)

An information leak was discovered in the Linux kernel's bluetooth rfcomm protocol support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3225)

An information leak was discovered in the Linux kernel's CAIF protocol implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3227)

An information leak was discovered in the Linux kernel's IRDA (infrared) support subsystem. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3228)

An information leak was discovered in the Linux kernel's s390 - z/VM support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3229)

An information leak was discovered in the Linux kernel's l2tp (Layer Two Tunneling Protocol) implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3230)

An information leak was discovered in the Linux kernel's llc (Logical Link Layer 2) support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3231)

An information leak was discovered in the Linux kernel's receive message handling for the netrom address family. A local user could exploit this flaw to obtain sensitive information from the kernel's stack memory. (CVE-2013-3232)

An information leak was discovered in the Linux kernel's nfc (near field communication) support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3233)

An information leak was discovered in the Linux kernel's Rose X.25 protocol layer. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3234)

An information leak was discovered in the Linux kernel's TIPC (Transparent Inter Process Communication) protocol implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3235).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An information leak was discovered in the Linux kernel when inotify is used to monitor the /dev/ptmx device. A local user could exploit this flaw to discover keystroke timing and potentially discover sensitive information like password length. (CVE-2013-0160)

A flaw was discovered in the Linux kernel's perf events subsystem for Intel Sandy Bridge and Ivy Bridge processors. A local user could exploit this flaw to cause a denial of service (system crash).
(CVE-2013-2146)

An information leak was discovered in the Linux kernel's crypto API. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3076)

An information leak was discovered in the Linux kernel's rcvmsg path for ATM (Asynchronous Transfer Mode). A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3222)

An information leak was discovered in the Linux kernel's recvmsg path for ax25 address family. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3223)

An information leak was discovered in the Linux kernel's recvmsg path for the bluetooth address family. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3224)

An information leak was discovered in the Linux kernel's bluetooth rfcomm protocol support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3225)

An information leak was discovered in the Linux kernel's CAIF protocol implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3227)

An information leak was discovered in the Linux kernel's IRDA (infrared) support subsystem. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3228)

An information leak was discovered in the Linux kernel's s390 - z/VM support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3229)

An information leak was discovered in the Linux kernel's llc (Logical Link Layer 2) support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3231)

An information leak was discovered in the Linux kernel's receive message handling for the netrom address family. A local user could exploit this flaw to obtain sensitive information from the kernel's stack memory. (CVE-2013-3232)

An information leak was discovered in the Linux kernel's Rose X.25 protocol layer. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3234)

An information leak was discovered in the Linux kernel's TIPC (Transparent Inter Process Communication) protocol implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3235).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Andrew Honig reported a flaw in the way KVM (Kernel-based Virtual Machine) emulated the IOAPIC. A privileged guest user could exploit this flaw to read host memory or cause a denial of service (crash the host). (CVE-2013-1798)

An information leak was discovered in the Linux kernel's rcvmsg path for ATM (Asynchronous Transfer Mode). A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3222)

An information leak was discovered in the Linux kernel's recvmsg path for ax25 address family. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3223)

An information leak was discovered in the Linux kernel's recvmsg path for the bluetooth address family. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3224)

An information leak was discovered in the Linux kernel's bluetooth rfcomm protocol support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3225)

An information leak was discovered in the Linux kernel's IRDA (infrared) support subsystem. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3228)

An information leak was discovered in the Linux kernel's s390 - z/VM support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3229)

An information leak was discovered in the Linux kernel's llc (Logical Link Layer 2) support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3231)

An information leak was discovered in the Linux kernel's receive message handling for the netrom address family. A local user could exploit this flaw to obtain sensitive information from the kernel's stack memory. (CVE-2013-3232)

An information leak was discovered in the Linux kernel's Rose X.25 protocol layer. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3234)

An information leak was discovered in the Linux kernel's TIPC (Transparent Inter Process Communication) protocol implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3235).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An information leak was discovered in the Linux kernel's crypto API. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3076)

An information leak was discovered in the Linux kernel's rcvmsg path for ATM (Asynchronous Transfer Mode). A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3222)

An information leak was discovered in the Linux kernel's recvmsg path for ax25 address family. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3223)

An information leak was discovered in the Linux kernel's recvmsg path for the bluetooth address family. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3224)

An information leak was discovered in the Linux kernel's bluetooth rfcomm protocol support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3225)

An information leak was discovered in the Linux kernel's bluetooth SCO sockets implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3226)

An information leak was discovered in the Linux kernel's CAIF protocol implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3227)

An information leak was discovered in the Linux kernel's IRDA (infrared) support subsystem. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3228)

An information leak was discovered in the Linux kernel's s390 - z/VM support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3229)

An information leak was discovered in the Linux kernel's l2tp (Layer Two Tunneling Protocol) implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3230)

An information leak was discovered in the Linux kernel's llc (Logical Link Layer 2) support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3231)

An information leak was discovered in the Linux kernel's nfc (near field communication) support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3233)

An information leak was discovered in the Linux kernel's Rose X.25 protocol layer. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3234)

An information leak was discovered in the Linux kernel's TIPC (Transparent Inter Process Communication) protocol implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3235).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2013-0160     vladz reported a timing leak with the /dev/ptmx     character device. A local user could use this to     determine sensitive information such as password length.

  - CVE-2013-1796     Andrew Honig of Google reported an issue in the KVM     subsystem. A user in a guest operating system could     corrupt kernel memory, resulting in a denial of service.

  - CVE-2013-1929     Oded Horovitz and Brad Spengler reported an issue in the     device driver for Broadcom Tigon3 based gigabit     Ethernet. Users with the ability to attach untrusted     devices can create an overflow condition, resulting in a     denial of service or elevated privileges.

  - CVE-2013-1979     Andy Lutomirski reported an issue in the socket level     control message processing subsystem. Local users may be     able to gain eleveated privileges.

  - CVE-2013-2015     Theodore Ts'o provided a fix for an issue in the ext4     filesystem. Local users with the ability to mount a     specially crafted filesystem can cause a denial of     service (infinite loop).

  - CVE-2013-2094     Tommie Rantala discovered an issue in the perf     subsystem. An out-of-bounds access vulnerability allows     local users to gain elevated privileges.

  - CVE-2013-3076     Mathias Krause discovered an issue in the userspace     interface for hash algorithms. Local users can gain     access to sensitive kernel memory.

  - CVE-2013-3222     Mathias Krause discovered an issue in the Asynchronous     Transfer Mode (ATM) protocol support. Local users can     gain access to sensitive kernel memory.

  - CVE-2013-3223     Mathias Krause discovered an issue in the Amateur Radio     AX.25 protocol support. Local users can gain access to     sensitive kernel memory.

  - CVE-2013-3224     Mathias Krause discovered an issue in the Bluetooth     subsystem. Local users can gain access to sensitive     kernel memory.

  - CVE-2013-3225     Mathias Krause discovered an issue in the Bluetooth     RFCOMM protocol support. Local users can gain access to     sensitive kernel memory.

  - CVE-2013-3227     Mathias Krause discovered an issue in the Communication     CPU to Application CPU Interface (CAIF). Local users can     gain access to sensitive kernel memory.

  - CVE-2013-3228     Mathias Krause discovered an issue in the IrDA     (infrared) subsystem support. Local users can gain     access to sensitive kernel memory.

  - CVE-2013-3229     Mathias Krause discovered an issue in the IUCV support     on s390 systems. Local users can gain access to     sensitive kernel memory.

  - CVE-2013-3231     Mathias Krause discovered an issue in the ANSI/IEEE     802.2 LLC type 2 protocol support. Local users can gain     access to sensitive kernel memory.

  - CVE-2013-3234     Mathias Krause discovered an issue in the Amateur Radio     X.25 PLP (Rose) protocol support. Local users can gain     access to sensitive kernel memory.

  - CVE-2013-3235     Mathias Krause discovered an issue in the Transparent     Inter Process Communication (TIPC) protocol support.
    Local users can gain access to sensitive kernel memory.

  - CVE-2013-3301     Namhyung Kim reported an issue in the tracing subsystem.
    A privileged local user could cause a denial of service     (system crash). This vulnerabililty is not applicable to     Debian systems by default.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2012-2121     Benjamin Herrenschmidt and Jason Baron discovered issues     with the IOMMU mapping of memory slots used in KVM     device assignment. Local users with the ability to     assign devices could cause a denial of service due to a     memory page leak.

  - CVE-2012-3552     Hafid Lin reported an issue in the IP networking     subsystem. A remote user can cause a denial of service     (system crash) on servers running applications that set     options on sockets which are actively being processed.

  - CVE-2012-4461     Jon Howell reported a denial of service issue in the KVM     subsystem. On systems that do not support the XSAVE     feature, local users with access to the /dev/kvm     interface can cause a system crash.

  - CVE-2012-4508     Dmitry Monakhov and Theodore Ts'o reported a race     condition in the ext4 filesystem. Local users could gain     access to sensitive kernel memory.

  - CVE-2012-6537     Mathias Krause discovered information leak issues in the     Transformation user configuration interface. Local users     with the CAP_NET_ADMIN capability can gain access to     sensitive kernel memory.

  - CVE-2012-6539     Mathias Krause discovered an issue in the networking     subsystem. Local users on 64-bit systems can gain access     to sensitive kernel memory.

  - CVE-2012-6540     Mathias Krause discovered an issue in the Linux virtual     server subsystem. Local users can gain access to     sensitive kernel memory. Note: this issue does not     affect Debian provided kernels, but may affect custom     kernels built from Debian's linux-source-2.6.32 package.

  - CVE-2012-6542     Mathias Krause discovered an issue in the LLC protocol     support code. Local users can gain access to sensitive     kernel memory.

  - CVE-2012-6544     Mathias Krause discovered issues in the Bluetooth     subsystem. Local users can gain access to sensitive     kernel memory.

  - CVE-2012-6545     Mathias Krause discovered issues in the Bluetooth RFCOMM     protocol support. Local users can gain access to     sensitive kernel memory.

  - CVE-2012-6546     Mathias Krause discovered issues in the ATM networking     support. Local users can gain access to sensitive kernel     memory.

  - CVE-2012-6548     Mathias Krause discovered an issue in the UDF file     system support. Local users can obtain access to     sensitive kernel memory.

  - CVE-2012-6549     Mathias Krause discovered an issue in the isofs file     system support. Local users can obtain access to     sensitive kernel memory.

  - CVE-2013-0349     Anderson Lizardo discovered an issue in the Bluetooth     Human Interface Device Protocol (HIDP) stack. Local     users can obtain access to sensitive kernel memory.

  - CVE-2013-0914     Emese Revfy discovered an issue in the signal     implementation. Local users may be able to bypass the     address space layout randomization (ASLR) facility due     to a leaking of information to child processes.

  - CVE-2013-1767     Greg Thelen reported an issue in the tmpfs virtual     memory filesystem. Local users with sufficient privilege     to mount filesystems can cause a denial of service or     possibly elevated privileges due to a use-after free     defect.

  - CVE-2013-1773     Alan Stern provided a fix for a defect in the     UTF8->UTF16 string conversion facility used by the VFAT     filesystem. A local user could cause a buffer overflow     condition, resulting in a denial of service or     potentially elevated privileges.

  - CVE-2013-1774     Wolfgang Frisch provided a fix for a NULL pointer     dereference defect in the driver for some serial USB     devices from Inside Out Networks. Local users with     permission to access these devices can create a denial     of service (kernel oops) by causing the device to be     removed while it is in use.

  - CVE-2013-1792     Mateusz Guzik of Red Hat EMEA GSS SEG Team discovered a     race condition in the access key retention support in     the kernel. A local user could cause a denial of service     (NULL pointer dereference).

  - CVE-2013-1796     Andrew Honig of Google reported an issue in the KVM     subsystem. A user in a guest operating system could     corrupt kernel memory, resulting in a denial of service.

  - CVE-2013-1798     Andrew Honig of Google reported an issue in the KVM     subsystem. A user in a guest operating system could     cause a denial of service due to a use after-free     defect.

  - CVE-2013-1826     Mathias Krause discovered an issue in the Transformation     (XFRM) user configuration interface of the networking     stack. A user with the CAP_NET_ADMIN capability may be     able to gain elevated privileges.

  - CVE-2013-1860     Oliver Neukum discovered an issue in the USB CDC WCM     Device Management driver. Local users with the ability     to attach devices can cause a denial of service (kernel     crash) or potentially gain elevated privileges.

  - CVE-2013-1928     Kees Cook provided a fix for an information leak in the     VIDEO_SET_SPU_PALETTE ioctl for 32-bit applications     running on a 64-bit kernel. Local users can gain access     to sensitive kernel memory.

  - CVE-2013-1929     Oded Horovitz and Brad Spengler reported an issue in the     device driver for Broadcom Tigon3 based gigabit     Ethernet. Users with the ability to attach untrusted     devices can create an overflow condition, resulting in a     denial of service or elevated privileges.

  - CVE-2013-2015     Theodore Ts'o provided a fix for an issue in the ext4     filesystem. Local users with the ability to mount a     specially crafted filesystem can cause a denial of     service (infinite loop).

  - CVE-2013-2634     Mathias Krause discovered a few issues in the Data     Center Bridging (DCB) netlink interface. Local users can     gain access to sensitive kernel memory.

  - CVE-2013-3222     Mathias Krause discovered an issue in the Asynchronous     Transfer Mode (ATM) protocol support. Local users can     gain access to sensitive kernel memory.

  - CVE-2013-3223     Mathias Krause discovered an issue in the Amateur Radio     AX.25 protocol support. Local users can gain access to     sensitive kernel memory.

  - CVE-2013-3224     Mathias Krause discovered an issue in the Bluetooth     subsystem. Local users can gain access to sensitive     kernel memory.

  - CVE-2013-3225     Mathias Krause discovered an issue in the Bluetooth     RFCOMM protocol support. Local users can gain access to     sensitive kernel memory.

  - CVE-2013-3228     Mathias Krause discovered an issue in the IrDA     (infrared) subsystem support. Local users can gain     access to sensitive kernel memory.

  - CVE-2013-3229     Mathias Krause discovered an issue in the IUCV support     on s390 systems. Local users can gain access to     sensitive kernel memory.

  - CVE-2013-3231     Mathias Krause discovered an issue in the ANSI/IEEE     802.2 LLC type 2 protocol support. Local users can gain     access to sensitive kernel memory.

  - CVE-2013-3234     Mathias Krause discovered an issue in the Amateur Radio     X.25 PLP (Rose) protocol support. Local users can gain     access to sensitive kernel memory.

  - CVE-2013-3235     Mathias Krause discovered an issue in the Transparent     Inter Process Communication (TIPC) protocol support.
    Local users can gain access to sensitive kernel memory.

ID	Name	Product	Family	Severity
83618	SUSE SLES10 Security Update : kernel (SUSE-SU-2014:0536-1)	Nessus	SuSE Local Security Checks	medium
83611	SUSE SLES11 Security Update : kernel (SUSE-SU-2014:0287-1)	Nessus	SuSE Local Security Checks	high
83603	SUSE SLES10 Security Update : kernel (SUSE-SU-2013:1832-1)	Nessus	SuSE Local Security Checks	high
74878	openSUSE Security Update : kernel (openSUSE-SU-2013:1971-1)	Nessus	SuSE Local Security Checks	high
68954	SuSE 11.3 Security Update : Linux kernel (SAT Patch Numbers 7991 / 7992 / 7994)	Nessus	SuSE Local Security Checks	medium
66975	Mandriva Linux Security Advisory : kernel (MDVSA-2013:176)	Nessus	Mandriva Local Security Checks	high
66912	SuSE 11.2 Security Update : Linux kernel (SAT Patch Numbers 7811 / 7813 / 7814)	Nessus	SuSE Local Security Checks	medium
66904	Ubuntu 12.10 : linux vulnerabilities (USN-1881-1)	Nessus	Ubuntu Local Security Checks	medium
66903	Ubuntu 12.04 LTS : linux-lts-quantal vulnerabilities (USN-1880-1)	Nessus	Ubuntu Local Security Checks	medium
66902	Ubuntu 12.04 LTS : linux vulnerabilities (USN-1878-1)	Nessus	Ubuntu Local Security Checks	medium
66901	Ubuntu 10.04 LTS : linux-ec2 vulnerabilities (USN-1877-1)	Nessus	Ubuntu Local Security Checks	medium
66900	Ubuntu 10.04 LTS : linux vulnerabilities (USN-1876-1)	Nessus	Ubuntu Local Security Checks	medium
66590	Ubuntu 13.04 : linux vulnerabilities (USN-1837-1)	Nessus	Ubuntu Local Security Checks	medium
66486	Debian DSA-2669-1 : linux - privilege escalation/denial of service/information leak	Nessus	Debian Local Security Checks	high
66431	Debian DSA-2668-1 : linux-2.6 - privilege escalation/denial of service/information leak	Nessus	Debian Local Security Checks	medium

CVE-2013-3229

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins