http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2ba1fe7a06d3624f9a7586d672b55f08f7c670f3

SUSE-SU-2016:0911

SUSE-SU-2016:1102

SUSE-SU-2016:2074

DSA-3503

http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.1

[oss-security] 20160119 Security bugs in Linux kernel sound subsystem

83382

USN-2929-1

USN-2929-2

USN-2930-1

USN-2930-2

USN-2930-3

USN-2931-1

USN-2932-1

USN-2967-1

USN-2967-2

https://bugzilla.redhat.com/show_bug.cgi?id=1311570

https://github.com/torvalds/linux/commit/2ba1fe7a06d3624f9a7586d672b55f08f7c670f3

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The hi3660_stub_clk_probe function in     drivers/clk/hisilicon/clk-hi3660-stub.c in the Linux     kernel before 4.16 allows local users to cause a denial     of service (NULL pointer dereference) by triggering a     failure of resource retrieval.(CVE-2018-10074i1/4%0

  - An information leak flaw was found in the RAM Disks     Memory Copy (rd_mcp) backend driver of the iSCSI Target     subsystem of the Linux kernel. A privileged user could     use this flaw to leak the contents of kernel memory to     an iSCSI initiator remote client.(CVE-2014-4027i1/4%0

  - It was found that in the Linux kernel version 4.2-rc1     to 4.3-rc1, a use of uninitialized 'n_proto',     'ip_proto', and 'thoff' variables in
    __skb_flow_dissect() function can lead to a remote     denial-of-service via malformed MPLS     packet.(CVE-2017-13715i1/4%0

  - It was found that the packet_set_ring() function of the     Linux kernel's networking implementation did not     properly validate certain block-size data. A local     attacker with CAP_NET_RAW capability could use this     flaw to trigger a buffer overflow, resulting in the     crash of the system. Due to the nature of the flaw,     privilege escalation cannot be fully ruled     out.(CVE-2017-7308i1/4%0

  - A weakness was found in the Linux ASLR implementation.
    Any user able to running 32-bit applications in a x86     machine can disable ASLR by setting the RLIMIT_STACK     resource to unlimited.(CVE-2016-3672i1/4%0

  - sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c in the     MSM QDSP6 audio driver for the Linux kernel 3.x, as     used in Qualcomm Innovation Center (QuIC) Android     contributions for MSM devices and other products,     allows attackers to cause a denial of service     (out-of-bounds write and memory corruption) or possibly     have unspecified other impact via a crafted application     that makes an ioctl call triggering incorrect use of a     parameters pointer.(CVE-2016-2065i1/4%0

  - A race condition flaw was found in the ioctl_send_fib()     function in the Linux kernel's aacraid implementation.
    A local attacker could use this flaw to cause a denial     of service (out-of-bounds access or system crash) by     changing a certain size value.(CVE-2016-6480i1/4%0

  - The omninet_open function in     drivers/usb/serial/omninet.c in the Linux kernel before     4.10.4 allows local users to cause a denial of service     (tty exhaustion) by leveraging reference count     mishandling.(CVE-2017-8925i1/4%0

  - The tower_probe function in     drivers/usb/misc/legousbtower.c in the Linux kernel     before 4.8.1 allows local users (who are physically     proximate for inserting a crafted USB device) to gain     privileges by leveraging a write-what-where condition     that occurs after a race condition and a NULL pointer     dereference.(CVE-2017-15102i1/4%0

  - The rtnl_fill_link_ifmap function in     net/core/rtnetlink.c in the Linux kernel before 4.5.5     does not initialize a certain data structure, which     allows local users to obtain sensitive information from     kernel stack memory by reading a Netlink     message.(CVE-2016-4486i1/4%0

  - A vulnerability was found in the Linux kernel's     lp_setup() function where it doesn't apply any bounds     checking when passing 'lp=none'. This can result into     overflow of the parport_nr array. An attacker with     control over kernel command line can overwrite kernel     code and data with fixed (0xff)     values.(CVE-2017-1000363i1/4%0

  - sound/core/hrtimer.c in the Linux kernel before 4.4.1     does not prevent recursive callback access, which     allows local users to cause a denial of service     (deadlock) via a crafted ioctl call.(CVE-2016-2549i1/4%0

  - The pn_recvmsg function in net/phonet/datagram.c in the     Linux kernel before 3.12.4 updates a certain length     value before ensuring that an associated data structure     has been initialized, which allows local users to     obtain sensitive information from kernel stack memory     via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system     call.(CVE-2013-7265i1/4%0

  - A NULL pointer dereference flaw was found in the SCTP     implementation. A local user could use this flaw to     cause a denial of service on the system by triggering a     kernel panic when creating multiple sockets in parallel     while the system did not have the SCTP module     loaded.(CVE-2015-5283i1/4%0

  - It was found that in Linux kernel the mount table     expands by a power-of-two with each bind mount command.
    If a system is configured to allow non-privileged user     to do bind mounts, or allows to do so in a container or     unprivileged mount namespace, then non-privileged user     is able to cause a local DoS by overflowing the mount     table, which causes a deadlock for the whole     system.(CVE-2016-6213i1/4%0

  - The cifs_iovec_write function in fs/cifs/file.c in the     Linux kernel through 3.13.5 does not properly handle     uncached write operations that copy fewer than the     requested number of bytes, which allows local users to     obtain sensitive information from kernel memory, cause     a denial of service (memory corruption and system     crash), or possibly gain privileges via a writev system     call with a crafted pointer.(CVE-2014-0069i1/4%0

  - A flaw was found in the Linux kernel's implementation     of XFS file attributes. Two memory leaks were detected     in xfs_attr_shortform_list and xfs_attr3_leaf_list_int     when running a docker container backed by xfs/overlay2.
    A dedicated attacker could possible exhaust all memory     and create a denial of service     situation.(CVE-2016-9685i1/4%0

  - Multiple integer overflows in the MDSS driver for the     Linux kernel 3.x, as used in Qualcomm Innovation Center     (QuIC) Android contributions for MSM devices and other     products, allow attackers to cause a denial of service     or possibly have unspecified other impact via a large     size value, related to mdss_compat_utils.c, mdss_fb.c,     and mdss_rotator.c.(CVE-2016-5344i1/4%0

  - kernel/bpf/verifier.c in the Linux kernel through     4.14.8 ignores unreachable code, even though it would     still be processed by JIT compilers. This behavior,     also considered an improper branch-pruning logic issue,     could possibly be used by local users for denial of     service.(CVE-2017-17862i1/4%0

  - A flaw was found in the Linux kernel's implementation     of the SCTP protocol. A remote attacker could trigger     an out-of-bounds read with an offset of up to 64kB     potentially causing the system to     crash.(CVE-2016-9555i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The snd_timer_interrupt function in sound/core/timer.c     in the Linux kernel before 4.4.1 does not properly     maintain a certain linked list, which allows local     users to cause a denial of service (race condition and     system crash) via a crafted ioctl call.(CVE-2016-2545)

  - sound/core/timer.c in the Linux kernel before 4.4.1     uses an incorrect type of mutex, which allows local     users to cause a denial of service (race condition,     use-after-free, and system crash) via a crafted ioctl     call.(CVE-2016-2546)

  - sound/core/timer.c in the Linux kernel before 4.4.1     employs a locking approach that does not consider slave     timer instances, which allows local users to cause a     denial of service (race condition, use-after-free, and     system crash) via a crafted ioctl call.(CVE-2016-2547)

  - sound/core/timer.c in the Linux kernel before 4.4.1     retains certain linked lists after a close or stop     action, which allows local users to cause a denial of     service (system crash) via a crafted ioctl call,     related to the (1) snd_timer_close and (2)
    _snd_timer_stop functions.(CVE-2016-2548)

  - sound/core/hrtimer.c in the Linux kernel before 4.4.1     does not prevent recursive callback access, which     allows local users to cause a denial of service     (deadlock) via a crafted ioctl call.(CVE-2016-2549)

  - A resource-exhaustion vulnerability was found in the     kernel, where an unprivileged process could allocate     and accumulate far more file descriptors than the     process' limit. A local, unauthenticated user could     exploit this flaw by sending file descriptors over a     Unix socket and then closing them to keep the process'     fd count low, thereby creating kernel-memory or     file-descriptors exhaustion (denial of     service).(CVE-2016-2550)

  - It is possible for a single process to cause an OOM     condition by filling large pipes with data that are     never read. A typical process filling 4096 pipes with 1     MB of data will use 4 GB of memory and there can be     multiple such processes, up to a     per-user-limit.(CVE-2016-2847)

  - A security flaw was found in the Linux kernel that an     attempt to move page mapped by AIO ring buffer to the     other node triggers NULL pointer dereference at     trace_writeback_dirty_page(), because     aio_fs_backing_dev_info.dev is 0.(CVE-2016-3070)

  - A security flaw was found in the Linux kernel in the     mark_source_chains() function in     'net/ipv4/netfilter/ip_tables.c'. It is possible for a     user-supplied 'ipt_entry' structure to have a large     'next_offset' field. This field is not bounds checked     prior to writing to a counter value at the supplied     offset.(CVE-2016-3134)

  - An integer overflow vulnerability was found in the     Linux kernel in xt_alloc_table_info, which on 32-bit     systems can lead to small structure allocation and a     copy_from_user based heap corruption.(CVE-2016-3135)

  - The mct_u232_msr_to_state function in     drivers/usb/serial/mct_u232.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted USB device without two     interrupt-in endpoint descriptors.(CVE-2016-3136)

  - drivers/usb/serial/cypress_m8.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a USB device without both an     interrupt-in and an interrupt-out endpoint descriptor,     related to the cypress_generic_port_probe and     cypress_open functions.(CVE-2016-3137)

  - The acm_probe function in drivers/usb/class/cdc-acm.c     in the Linux kernel before 4.5.1 allows physically     proximate attackers to cause a denial of service (NULL     pointer dereference and system crash) via a USB device     without both a control and a data endpoint     descriptor.(CVE-2016-3138)

  - The wacom_probe function in     drivers/input/tablet/wacom_sys.c in the Linux kernel     before 3.17 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-3139)

  - The digi_port_init function in     drivers/usb/serial/digi_acceleport.c in the Linux     kernel before 4.5.1 allows physically proximate     attackers to cause a denial of service (NULL pointer     dereference and system crash) via a crafted endpoints     value in a USB device descriptor.(CVE-2016-3140)

  - 'A security flaw was found in the Linux kernel's     networking subsystem that destroying the network     interface with huge number of ipv4 addresses assigned     keeps ''rtnl_lock'' spinlock for a very long time (up     to hour). This blocks many network-related operations,     including creation of new incoming ssh connections.

  - The problem is especially important for containers, as     the container owner has enough permissions to trigger     this and block a network access on a whole host,     outside the container.(CVE-2016-3156)'

  - A weakness was found in the Linux ASLR implementation.
    Any user able to running 32-bit applications in a x86     machine can disable ASLR by setting the RLIMIT_STACK     resource to unlimited.(CVE-2016-3672)

  - The ims_pcu_parse_cdc_data function in     drivers/input/misc/ims-pcu.c in the Linux kernel before     4.5.1 allows physically proximate attackers to cause a     denial of service (system crash) via a USB device     without both a master and a slave     interface.(CVE-2016-3689)

  - It was found that the Linux kernel's IPv6     implementation mishandled socket options. A local     attacker could abuse concurrent access to the socket     options to escalate their privileges, or cause a denial     of service (use-after-free and system crash) via a     crafted sendmsg system call.(CVE-2016-3841)

  - The usbip_recv_xbuff function in     drivers/usb/usbip/usbip_common.c in the Linux kernel     before 4.5.3 allows remote attackers to cause a denial     of service (out-of-bounds write) or possibly have     unspecified other impact via a crafted length value in     a USB/IP packet.(CVE-2016-3955)

  - A flaw was found in the Linux kernel's keyring handling     code: the key_reject_and_link() function could be     forced to free an arbitrary memory block. An attacker     could use this flaw to trigger a use-after-free     condition on the system, potentially allowing for     privilege escalation.(CVE-2016-4470)

  - The proc_connectinfo() function in     'drivers/usb/core/devio.c' in the Linux kernel through     4.6 does not initialize a certain data structure, which     allows local users to obtain sensitive information from     kernel stack memory via a crafted USBDEVFS_CONNECTINFO     ioctl call. The stack object 'ci' has a total size of 8     bytes. Its last 3 bytes are padding bytes which are not     initialized and are leaked to userland.(CVE-2016-4482)

  - A flaw was found in the way certain interfaces of the     Linux kernel's Infiniband subsystem used write() as     bi-directional ioctl() replacement, which could lead to     insufficient memory security checks when being invoked     using the splice() system call. A local unprivileged     user on a system with either Infiniband hardware     present or RDMA Userspace Connection Manager Access     module explicitly loaded, could use this flaw to     escalate their privileges on the system.(CVE-2016-4565)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - dm: fix race between dm_get_from_kobject and
    __dm_destroy (Hou Tao) (CVE-2017-18203)

  - drm: udl: Properly check framebuffer mmap offsets (Greg     Kroah-Hartman) [Orabug: 27986407] (CVE-2018-8781)

  - kernel/exit.c: avoid undefined behaviour when calling     wait4 wait4(-2147483648, 0x20, 0, 0xdd0000) triggers:
    UBSAN: Undefined behaviour in kernel/exit.c:1651:9     (mridula shastry) [Orabug: 27875488] (CVE-2018-10087)

  - kernel/signal.c: avoid undefined behaviour in     kill_something_info When running kill(72057458746458112,     0) in userspace I hit the following issue. (mridula     shastry) (CVE-2018-10124)

  - bluetooth: Validate socket address length in     sco_sock_bind. (mlevatic) [Orabug: 28130293]     (CVE-2015-8575)

  - dccp: check sk for closed state in dccp_sendmsg (Alexey     Kodanev) [Orabug: 28220402] (CVE-2017-8824)     (CVE-2018-1130)

  - sctp: verify size of a new chunk in _sctp_make_chunk     (Alexey Kodanev) [Orabug: 28240075] (CVE-2018-5803)

  - mm/mempolicy.c: fix error handling in set_mempolicy and     mbind. (Chris Salls) [Orabug: 28242478] (CVE-2017-7616)

  - xfrm: policy: check policy direction value (Vladis     Dronov) [Orabug: 28264121] (CVE-2017-11600)     (CVE-2017-11600)

  - x86/fpu: Make eager FPU default (Mihai Carabas) [Orabug:
    28156176] (CVE-2018-3665)

  - KVM: Fix stack-out-of-bounds read in write_mmio (Wanpeng     Li) [Orabug: 27951287] (CVE-2017-17741) (CVE-2017-17741)

  - xfs: set format back to extents if     xfs_bmap_extents_to_btree (Eric Sandeen) [Orabug:
    27989498] (CVE-2018-10323)

  - Bluetooth: Prevent stack info leak from the EFS element.
    (Ben Seri) [Orabug: 28030520] (CVE-2017-1000410)     (CVE-2017-1000410)

  - ALSA: hrtimer: Fix stall by hrtimer_cancel (Takashi     Iwai) [Orabug: 28058229] (CVE-2016-2549)

  - ALSA: timer: Harden slave timer list handling (Takashi     Iwai) [Orabug: 28058229] (CVE-2016-2547) (CVE-2016-2548)

  - ALSA: timer: Fix double unlink of active_list (Takashi     Iwai) [Orabug: 28058229] (CVE-2016-2545)

  - ALSA: seq: Fix missing NULL check at remove_events ioctl     (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2543)

  - ALSA: seq: Fix race at timer setup and close (Takashi     Iwai) [Orabug: 28058229] (CVE-2016-2544)

  - ALSA: usb-audio: avoid freeing umidi object twice     (Andrey Konovalov) [Orabug: 28058229] (CVE-2016-2384)

  - perf/hwbp: Simplify the perf-hwbp code, fix     documentation (Linus Torvalds) [Orabug: 27947608]     (CVE-2018-1000199)

  - Revert 'perf/hwbp: Simplify the perf-hwbp code, fix     documentation' (Brian Maly) [Orabug: 27947608]

Description of changes:

kernel-uek kernel-uek [3.8.13-118.22.1.el7uek]
- dm: fix race between dm_get_from_kobject() and __dm_destroy() (Hou Tao)   {CVE-2017-18203}
- drm: udl: Properly check framebuffer mmap offsets (Greg Kroah-Hartman)   [Orabug: 27986407]  {CVE-2018-8781}
- kernel/exit.c: avoid undefined behaviour when calling wait4() wait4(-2147483648, 0x20, 0, 0xdd0000) triggers: UBSAN: Undefined behaviour in kernel/exit.c:1651:9 (mridula shastry)  [Orabug: 27875488] {CVE-2018-10087}
- kernel/signal.c: avoid undefined behaviour in kill_something_info When running kill(72057458746458112, 0) in userspace I hit the following issue. (mridula shastry)   {CVE-2018-10124}
- bluetooth: Validate socket address length in sco_sock_bind(). (mlevatic)  [Orabug: 28130293]  {CVE-2015-8575}
- dccp: check sk for closed state in dccp_sendmsg() (Alexey Kodanev) [Orabug: 28220402]  {CVE-2017-8824} {CVE-2018-1130}
- sctp: verify size of a new chunk in _sctp_make_chunk() (Alexey Kodanev)  [Orabug: 28240075]  {CVE-2018-5803}
- mm/mempolicy.c: fix error handling in set_mempolicy and mbind. (Chris Salls)  [Orabug: 28242478]  {CVE-2017-7616}
- xfrm: policy: check policy direction value (Vladis Dronov)  [Orabug: 28264121]  {CVE-2017-11600} {CVE-2017-11600}
- x86/fpu: Make eager FPU default (Mihai Carabas)  [Orabug: 28156176] {CVE-2018-3665}
- KVM: Fix stack-out-of-bounds read in write_mmio (Wanpeng Li)  [Orabug: 27951287]  {CVE-2017-17741} {CVE-2017-17741}
- xfs: set format back to extents if xfs_bmap_extents_to_btree (Eric Sandeen)  [Orabug: 27989498]  {CVE-2018-10323}
- Bluetooth: Prevent stack info leak from the EFS element. (Ben Seri) [Orabug: 28030520]  {CVE-2017-1000410} {CVE-2017-1000410}
- ALSA: hrtimer: Fix stall by hrtimer_cancel() (Takashi Iwai)  [Orabug: 28058229]  {CVE-2016-2549}
- ALSA: timer: Harden slave timer list handling (Takashi Iwai)  [Orabug: 28058229]  {CVE-2016-2547} {CVE-2016-2548}
- ALSA: timer: Fix double unlink of active_list (Takashi Iwai)  [Orabug: 28058229]  {CVE-2016-2545}
- ALSA: seq: Fix missing NULL check at remove_events ioctl (Takashi Iwai)  [Orabug: 28058229]  {CVE-2016-2543}
- ALSA: seq: Fix race at timer setup and close (Takashi Iwai)  [Orabug: 28058229]  {CVE-2016-2544}
- ALSA: usb-audio: avoid freeing umidi object twice (Andrey Konovalov) [Orabug: 28058229]  {CVE-2016-2384}
- perf/hwbp: Simplify the perf-hwbp code, fix documentation (Linus Torvalds)  [Orabug: 27947608]  {CVE-2018-1000199}
- Revert 'perf/hwbp: Simplify the perf-hwbp code, fix documentation' (Brian Maly)  [Orabug: 27947608]

Description of changes:

[2.6.39-400.299.3.el6uek]
- x86/fpu: Make eager FPU default (Mihai Carabas)  [Orabug: 28156175] {CVE-2018-3665}
- ALSA: hrtimer: Fix stall by hrtimer_cancel() (Takashi Iwai)  [Orabug: 22876528]  {CVE-2016-2549}
- ALSA: timer: Harden slave timer list handling (Takashi Iwai)  [Orabug: 22876528]  {CVE-2016-2547} {CVE-2016-2548}
- ALSA: timer: Fix double unlink of active_list (Takashi Iwai)  [Orabug: 22876528]  {CVE-2016-2545}
- ALSA: seq: Fix missing NULL check at remove_events ioctl (Takashi Iwai)  [Orabug: 22876528]  {CVE-2016-2543}
- ALSA: seq: Fix race at timer setup and close (Takashi Iwai)  [Orabug: 22876528]  {CVE-2016-2544}
- ALSA: usb-audio: avoid freeing umidi object twice (Andrey Konovalov) [Orabug: 22876528]  {CVE-2016-2384}
- mlx4_ib: DREQ silently dropped by PF passive side (Venkat Venkatsubra)   [Orabug: 25090540] - net: tcpdump fails with EFAULT (Venkat Venkatsubra)  [Orabug: 25209691] - x86/spec: Remove rescan_spec_ctrl_feature as it's not needed anymore (Krish Sadhukhan) [Orabug: 27934121]

[2.6.39-400.299.2.el6uek]
- perf/hwbp: Simplify the perf-hwbp code, fix documentation (Linus Torvalds)  [Orabug: 27947612]  {CVE-2018-1000199}
- Revert 'perf/hwbp: Simplify the perf-hwbp code, fix documentation' (Brian Maly)  [Orabug: 27947612]

Description of changes:

kernel-uek [3.8.13-118.21.4.el7uek]
- x86/fpu: Make eager FPU default (Mihai Carabas)  [Orabug: 28156176] {CVE-2018-3665}

[3.8.13-118.21.3.el7uek]
- KVM: Fix stack-out-of-bounds read in write_mmio (Wanpeng Li)  [Orabug: 27951287]  {CVE-2017-17741} {CVE-2017-17741}
- xfs: set format back to extents if xfs_bmap_extents_to_btree (Eric Sandeen)  [Orabug: 27989498]  {CVE-2018-10323}
- Bluetooth: Prevent stack info leak from the EFS element. (Ben Seri) [Orabug: 28030520]  {CVE-2017-1000410} {CVE-2017-1000410}
- ALSA: hrtimer: Fix stall by hrtimer_cancel() (Takashi Iwai)  [Orabug: 28058229]  {CVE-2016-2549}
- ALSA: timer: Harden slave timer list handling (Takashi Iwai)  [Orabug: 28058229]  {CVE-2016-2547} {CVE-2016-2548}
- ALSA: timer: Fix double unlink of active_list (Takashi Iwai)  [Orabug: 28058229]  {CVE-2016-2545}
- ALSA: seq: Fix missing NULL check at remove_events ioctl (Takashi Iwai)  [Orabug: 28058229]  {CVE-2016-2543}
- ALSA: seq: Fix race at timer setup and close (Takashi Iwai)  [Orabug: 28058229]  {CVE-2016-2544}
- ALSA: usb-audio: avoid freeing umidi object twice (Andrey Konovalov) [Orabug: 28058229]  {CVE-2016-2384}

[3.8.13-118.21.2.el7uek]
- perf/hwbp: Simplify the perf-hwbp code, fix documentation (Linus Torvalds)  [Orabug: 27947608]  {CVE-2018-1000199}
- Revert 'perf/hwbp: Simplify the perf-hwbp code, fix documentation' (Brian Maly)  [Orabug: 27947608]

The remote OracleVM system is missing necessary patches to address critical security updates :

  - x86/fpu: Make eager FPU default (Mihai Carabas) [Orabug:
    28156176] (CVE-2018-3665)

  - KVM: Fix stack-out-of-bounds read in write_mmio (Wanpeng     Li) [Orabug: 27951287] (CVE-2017-17741) (CVE-2017-17741)

  - xfs: set format back to extents if     xfs_bmap_extents_to_btree (Eric Sandeen) [Orabug:
    27989498] (CVE-2018-10323)

  - Bluetooth: Prevent stack info leak from the EFS element.
    (Ben Seri) [Orabug: 28030520] (CVE-2017-1000410)     (CVE-2017-1000410)

  - ALSA: hrtimer: Fix stall by hrtimer_cancel (Takashi     Iwai) [Orabug: 28058229] (CVE-2016-2549)

  - ALSA: timer: Harden slave timer list handling (Takashi     Iwai) [Orabug: 28058229] (CVE-2016-2547) (CVE-2016-2548)

  - ALSA: timer: Fix double unlink of active_list (Takashi     Iwai) [Orabug: 28058229] (CVE-2016-2545)

  - ALSA: seq: Fix missing NULL check at remove_events ioctl     (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2543)

  - ALSA: seq: Fix race at timer setup and close (Takashi     Iwai) [Orabug: 28058229] (CVE-2016-2544)

  - ALSA: usb-audio: avoid freeing umidi object twice     (Andrey Konovalov) [Orabug: 28058229] (CVE-2016-2384)

  - perf/hwbp: Simplify the perf-hwbp code, fix     documentation (Linus Torvalds) [Orabug: 27947608]     (CVE-2018-1000199)

  - Revert 'perf/hwbp: Simplify the perf-hwbp code, fix     documentation' (Brian Maly) [Orabug: 27947608]

The SUSE Linux Enterprise 11 SP2 kernel was updated to receive various security and bug fixes. The following security bugs were fixed :

  - CVE-2016-4486: Fixed 4 byte information leak in     net/core/rtnetlink.c (bsc#978822).

  - CVE-2016-3134: The netfilter subsystem in the Linux     kernel did not validate certain offset fields, which     allowed local users to gain privileges or cause a denial     of service (heap memory corruption) via an     IPT_SO_SET_REPLACE setsockopt call (bnc#971126).

  - CVE-2016-2847: fs/pipe.c in the Linux kernel did not     limit the amount of unread data in pipes, which allowed     local users to cause a denial of service (memory     consumption) by creating many pipes with non-default     sizes (bnc#970948).

  - CVE-2016-2188: The iowarrior_probe function in     drivers/usb/misc/iowarrior.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) via     a crafted endpoints value in a USB device descriptor     (bnc#970956).

  - CVE-2016-3138: The acm_probe function in     drivers/usb/class/cdc-acm.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) via     a USB device without both a control and a data endpoint     descriptor (bnc#970911).

  - CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the     Linux kernel allowed physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a USB device without both an     interrupt-in and an interrupt-out endpoint descriptor,     related to the cypress_generic_port_probe and     cypress_open functions (bnc#970970).

  - CVE-2016-3140: The digi_port_init function in     drivers/usb/serial/digi_acceleport.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970892).

  - CVE-2016-2186: The powermate_probe function in     drivers/input/misc/powermate.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970958).

  - CVE-2016-2185: The ati_remote2_probe function in     drivers/input/misc/ati_remote2.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#971124).

  - CVE-2016-3156: The IPv4 implementation in the Linux     kernel mishandles destruction of device objects, which     allowed guest OS users to cause a denial of service     (host OS networking outage) by arranging for a large     number of IP addresses (bnc#971360).

  - CVE-2016-2184: The create_fixed_stream_quirk function in     sound/usb/quirks.c in the snd-usb-audio driver in the     Linux kernel allowed physically proximate attackers to     cause a denial of service (NULL pointer dereference or     double free, and system crash) via a crafted endpoints     value in a USB device descriptor (bnc#971125).

  - CVE-2016-3139: The wacom_probe function in     drivers/input/tablet/wacom_sys.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970909).

  - CVE-2016-2143: The fork implementation in the Linux     kernel on s390 platforms mishandled the case of four     page-table levels, which allowed local users to cause a     denial of service (system crash) or possibly have     unspecified other impact via a crafted application,     related to arch/s390/include/asm/mmu_context.h and     arch/s390/include/asm/pgalloc.h (bnc#970504).

  - CVE-2016-2782: The treo_attach function in     drivers/usb/serial/visor.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) or     possibly have unspecified other impact by inserting a     USB device that lacks a (1) bulk-in or (2) interrupt-in     endpoint (bnc#968670).

  - CVE-2015-8816: The hub_activate function in     drivers/usb/core/hub.c in the Linux kernel did not     properly maintain a hub-interface data structure, which     allowed physically proximate attackers to cause a denial     of service (invalid memory access and system crash) or     possibly have unspecified other impact by unplugging a     USB hub device (bnc#968010).

  - CVE-2015-7566: The clie_5_attach function in     drivers/usb/serial/visor.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) or     possibly have unspecified other impact by inserting a     USB device that lacks a bulk-out endpoint (bnc#961512).

  - CVE-2016-2549: sound/core/hrtimer.c in the Linux kernel     did not prevent recursive callback access, which allowed     local users to cause a denial of service (deadlock) via     a crafted ioctl call (bnc#968013).

  - CVE-2016-2547: sound/core/timer.c in the Linux kernel     employed a locking approach that did not consider slave     timer instances, which allowed local users to cause a     denial of service (race condition, use-after-free, and     system crash) via a crafted ioctl call (bnc#968011).

  - CVE-2016-2548: sound/core/timer.c in the Linux kernel     retained certain linked lists after a close or stop     action, which allowed local users to cause a denial of     service (system crash) via a crafted ioctl call, related     to the (1) snd_timer_close and (2) _snd_timer_stop     functions (bnc#968012).

  - CVE-2016-2546: sound/core/timer.c in the Linux kernel     used an incorrect type of mutex, which allowed local     users to cause a denial of service (race condition,     use-after-free, and system crash) via a crafted ioctl     call (bnc#967975).

  - CVE-2016-2545: The snd_timer_interrupt function in     sound/core/timer.c in the Linux kernel did not properly     maintain a certain linked list, which allowed local     users to cause a denial of service (race condition and     system crash) via a crafted ioctl call (bnc#967974).

  - CVE-2016-2544: Race condition in the queue_delete     function in sound/core/seq/seq_queue.c in the Linux     kernel allowed local users to cause a denial of service     (use-after-free and system crash) by making an ioctl     call at a certain time (bnc#967973).

  - CVE-2016-2543: The snd_seq_ioctl_remove_events function     in sound/core/seq/seq_clientmgr.c in the Linux kernel     did not verify FIFO assignment before proceeding with     FIFO clearing, which allowed local users to cause a     denial of service (NULL pointer dereference and OOPS)     via a crafted ioctl call (bnc#967972).

  - CVE-2016-2384: Double free vulnerability in the     snd_usbmidi_create function in sound/usb/midi.c in the     Linux kernel allowed physically proximate attackers to     cause a denial of service (panic) or possibly have     unspecified other impact via vectors involving an     invalid USB descriptor (bnc#966693).

  - CVE-2015-8812: drivers/infiniband/hw/cxgb3/iwch_cm.c in     the Linux kernel did not properly identify error     conditions, which allowed remote attackers to execute     arbitrary code or cause a denial of service     (use-after-free) via crafted packets (bnc#966437).

  - CVE-2015-8785: The fuse_fill_write_pages function in     fs/fuse/file.c in the Linux kernel allowed local users     to cause a denial of service (infinite loop) via a     writev system call that triggers a zero length for the     first segment of an iov (bnc#963765).

  - CVE-2016-2069: Race condition in arch/x86/mm/tlb.c in     the Linux kernel .4.1 allowed local users to gain     privileges by triggering access to a paging structure by     a different CPU (bnc#963767).

  - CVE-2016-0723: Race condition in the tty_ioctl function     in drivers/tty/tty_io.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory or cause a denial of service (use-after-free and     system crash) by making a TIOCGETD ioctl call during     processing of a TIOCSETD ioctl call (bnc#961500).

  - CVE-2013-7446: Use-after-free vulnerability in     net/unix/af_unix.c in the Linux kernel allowed local     users to bypass intended AF_UNIX socket permissions or     cause a denial of service (panic) via crafted epoll_ctl     calls (bnc#955654).

  - CVE-2015-8767: net/sctp/sm_sideeffect.c in the Linux     kernel did not properly manage the relationship between     a lock and a socket, which allowed local users to cause     a denial of service (deadlock) via a crafted sctp_accept     call (bnc#961509).

  - CVE-2015-7515: The aiptek_probe function in     drivers/input/tablet/aiptek.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted USB device that lacks endpoints     (bnc#956708).

  - CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in     the Linux kernel did not validate attempted changes to     the MTU value, which allowed context-dependent attackers     to cause a denial of service (packet loss) via a value     that is (1) smaller than the minimum compliant value or     (2) larger than the MTU of an interface, as demonstrated     by a Router Advertisement (RA) message that is not     validated by a daemon, a different vulnerability than     CVE-2015-0272 (bnc#955354).

  - CVE-2015-7550: The keyctl_read_key function in     security/keys/keyctl.c in the Linux kernel did not     properly use a semaphore, which allowed local users to     cause a denial of service (NULL pointer dereference and     system crash) or possibly have unspecified other impact     via a crafted application that leverages a race     condition between keyctl_revoke and keyctl_read calls     (bnc#958951).

  - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect     functions in drivers/net/ppp/pptp.c in the Linux kernel     did not verify an address length, which allowed local     users to obtain sensitive information from kernel memory     and bypass the KASLR protection mechanism via a crafted     application (bnc#959190).

  - CVE-2015-8575: The sco_sock_bind function in     net/bluetooth/sco.c in the Linux kernel did not verify     an address length, which allowed local users to obtain     sensitive information from kernel memory and bypass the     KASLR protection mechanism via a crafted application     (bnc#959399).

  - CVE-2015-8543: The networking implementation in the     Linux kernel did not validate protocol identifiers for     certain protocol families, which allowed local users to     cause a denial of service (NULL function pointer     dereference and system crash) or possibly gain     privileges by leveraging CLONE_NEWUSER support to     execute a crafted SOCK_RAW application (bnc#958886).

  - CVE-2015-8539: The KEYS subsystem in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (BUG) via crafted keyctl commands that     negatively instantiate a key, related to     security/keys/encrypted-keys/encrypted.c,     security/keys/trusted.c, and     security/keys/user_defined.c (bnc#958463).

  - CVE-2015-7509: fs/ext4/namei.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (system crash) via a crafted no-journal     filesystem, a related issue to CVE-2013-2015     (bnc#956709).

  - CVE-2015-7799: The slhc_init function in     drivers/net/slip/slhc.c in the Linux kernel did not     ensure that certain slot numbers are valid, which     allowed local users to cause a denial of service (NULL     pointer dereference and system crash) via a crafted     PPPIOCSMAXCID ioctl call (bnc#949936).

  - CVE-2015-8104: The KVM subsystem in the Linux kernel     allowed guest OS users to cause a denial of service     (host OS panic or hang) by triggering many #DB (aka     Debug) exceptions, related to svm.c (bnc#954404).

  - CVE-2015-5307: The KVM subsystem in the Linux kernel     allowed guest OS users to cause a denial of service     (host OS panic or hang) by triggering many #AC (aka     Alignment Check) exceptions, related to svm.c and vmx.c     (bnc#953527).

  - CVE-2015-7990: Race condition in the rds_sendmsg     function in net/rds/sendmsg.c in the Linux kernel     allowed local users to cause a denial of service (NULL     pointer dereference and system crash) or possibly have     unspecified other impact by using a socket that was not     properly bound (bnc#952384).

  - CVE-2015-7872: The key_gc_unused_keys function in     security/keys/gc.c in the Linux kernel allowed local     users to cause a denial of service (OOPS) via crafted     keyctl commands (bnc#951440).

  - CVE-2015-6937: The __rds_conn_create function in     net/rds/connection.c in the Linux kernel allowed local     users to cause a denial of service (NULL pointer     dereference and system crash) or possibly have     unspecified other impact by using a socket that was not     properly bound (bnc#945825).

  - CVE-2015-6252: The vhost_dev_ioctl function in     drivers/vhost/vhost.c in the Linux kernel allowed local     users to cause a denial of service (memory consumption)     via a VHOST_SET_LOG_FD ioctl call that triggers     permanent file-descriptor allocation (bnc#942367).

  - CVE-2015-3339: Race condition in the prepare_binprm     function in fs/exec.c in the Linux kernel allowed local     users to gain privileges by executing a setuid program     at a time instant when a chown to root is in progress,     and the ownership is changed but the setuid bit is not     yet stripped (bnc#928130).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The openSUSE 13.2 kernel was updated to fix various bugs and security issues.

The following security bugs were fixed :

  - CVE-2016-1583: Prevent the usage of mmap when the lower     file system does not allow it. This could have lead to     local privilege escalation when ecryptfs-utils was     installed and /sbin/mount.ecryptfs_private was setuid     (bsc#983143).

  - CVE-2016-4913: The get_rock_ridge_filename function in     fs/isofs/rock.c in the Linux kernel mishandles NM (aka     alternate name) entries containing \0 characters, which     allowed local users to obtain sensitive information from     kernel memory or possibly have unspecified other impact     via a crafted isofs filesystem (bnc#980725).

  - CVE-2016-4580: The x25_negotiate_facilities function in     net/x25/x25_facilities.c in the Linux kernel did not     properly initialize a certain data structure, which     allowed attackers to obtain sensitive information from     kernel stack memory via an X.25 Call Request     (bnc#981267).

  - CVE-2016-0758: Tags with indefinite length could have     corrupted pointers in asn1_find_indefinite_length     (bsc#979867).

  - CVE-2016-2053: The asn1_ber_decoder function in     lib/asn1_decoder.c in the Linux kernel allowed attackers     to cause a denial of service (panic) via an ASN.1 BER     file that lacks a public key, leading to mishandling by     the public_key_verify_signature function in     crypto/asymmetric_keys/public_key.c (bnc#963762).

  - CVE-2016-2187: The gtco_probe function in     drivers/input/tablet/gtco.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) via     a crafted endpoints value in a USB device descriptor     (bnc#971919 971944).

  - CVE-2016-4482: The proc_connectinfo function in     drivers/usb/core/devio.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory via a crafted USBDEVFS_CONNECTINFO ioctl call     (bnc#978401 bsc#978445).

  - CVE-2016-4565: The InfiniBand (aka IB) stack in the     Linux kernel incorrectly relies on the write system     call, which allowed local users to cause a denial of     service (kernel memory write operation) or possibly have     unspecified other impact via a uAPI interface     (bnc#979548 bsc#980363).

  - CVE-2016-3672: The arch_pick_mmap_layout function in     arch/x86/mm/mmap.c in the Linux kernel did not properly     randomize the legacy base address, which made it easier     for local users to defeat the intended restrictions on     the ADDR_NO_RANDOMIZE flag, and bypass the ASLR     protection mechanism for a setuid or setgid program, by     disabling stack-consumption resource limits     (bnc#974308).

  - CVE-2016-4581: fs/pnode.c in the Linux kernel did not     properly traverse a mount propagation tree in a certain     case involving a slave mount, which allowed local users     to cause a denial of service (NULL pointer dereference     and OOPS) via a crafted series of mount system calls     (bnc#979913).

  - CVE-2016-4485: The llc_cmsg_rcv function in     net/llc/af_llc.c in the Linux kernel did not initialize     a certain data structure, which allowed attackers to     obtain sensitive information from kernel stack memory by     reading a message (bnc#978821).

  - CVE-2015-3288: A security flaw was found in the Linux     kernel that there was a way to arbitrary change zero     page memory. (bnc#979021).

  - CVE-2016-4578: sound/core/timer.c in the Linux kernel     did not initialize certain r1 data structures, which     allowed local users to obtain sensitive information from     kernel stack memory via crafted use of the ALSA timer     interface, related to the (1) snd_timer_user_ccallback     and (2) snd_timer_user_tinterrupt functions     (bnc#979879).

  - CVE-2016-3134: The netfilter subsystem in the Linux     kernel did not validate certain offset fields, which     allowed local users to gain privileges or cause a denial     of service (heap memory corruption) via an     IPT_SO_SET_REPLACE setsockopt call (bnc#971126).

  - CVE-2016-4486: The rtnl_fill_link_ifmap function in     net/core/rtnetlink.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory by reading a Netlink message (bnc#978822).

  - CVE-2013-7446: Use-after-free vulnerability in     net/unix/af_unix.c in the Linux kernel allowed local     users to bypass intended AF_UNIX socket permissions or     cause a denial of service (panic) via crafted epoll_ctl     calls (bnc#955654).

  - CVE-2016-4569: The snd_timer_user_params function in     sound/core/timer.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory via crafted use of the ALSA timer interface     (bnc#979213).

  - CVE-2016-2847: fs/pipe.c in the Linux kernel did not     limit the amount of unread data in pipes, which allowed     local users to cause a denial of service (memory     consumption) by creating many pipes with non-default     sizes (bnc#970948 974646).

  - CVE-2016-3136: The mct_u232_msr_to_state function in     drivers/usb/serial/mct_u232.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted USB device without two interrupt-in     endpoint descriptors (bnc#970955).

  - CVE-2016-2188: The iowarrior_probe function in     drivers/usb/misc/iowarrior.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) via     a crafted endpoints value in a USB device descriptor     (bnc#970956).

  - CVE-2016-3138: The acm_probe function in     drivers/usb/class/cdc-acm.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) via     a USB device without both a control and a data endpoint     descriptor (bnc#970911).

  - CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the     Linux kernel allowed physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a USB device without both an     interrupt-in and an interrupt-out endpoint descriptor,     related to the cypress_generic_port_probe and     cypress_open functions (bnc#970970).

  - CVE-2016-3951: Double free vulnerability in     drivers/net/usb/cdc_ncm.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (system crash) or possibly have unspecified     other impact by inserting a USB device with an invalid     USB descriptor (bnc#974418).

  - CVE-2016-3140: The digi_port_init function in     drivers/usb/serial/digi_acceleport.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970892).

  - CVE-2016-2186: The powermate_probe function in     drivers/input/misc/powermate.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970958).

  - CVE-2016-2185: The ati_remote2_probe function in     drivers/input/misc/ati_remote2.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#971124).

  - CVE-2016-3689: The ims_pcu_parse_cdc_data function in     drivers/input/misc/ims-pcu.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (system crash) via a USB device without both a     master and a slave interface (bnc#971628).

  - CVE-2016-3156: The IPv4 implementation in the Linux     kernel mishandles destruction of device objects, which     allowed guest OS users to cause a denial of service     (host OS networking outage) by arranging for a large     number of IP addresses (bnc#971360).

  - CVE-2016-2184: The create_fixed_stream_quirk function in     sound/usb/quirks.c in the snd-usb-audio driver in the     Linux kernel allowed physically proximate attackers to     cause a denial of service (NULL pointer dereference or     double free, and system crash) via a crafted endpoints     value in a USB device descriptor (bnc#971125).

  - CVE-2016-3139: The wacom_probe function in     drivers/input/tablet/wacom_sys.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970909).

  - CVE-2015-8830: Integer overflow in the     aio_setup_single_vector function in fs/aio.c in the     Linux kernel 4.0 allowed local users to cause a denial     of service or possibly have unspecified other impact via     a large AIO iovec. NOTE: this vulnerability exists     because of a CVE-2012-6701 regression (bnc#969354     bsc#969355).

  - CVE-2016-2782: The treo_attach function in     drivers/usb/serial/visor.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) or     possibly have unspecified other impact by inserting a     USB device that lacks a (1) bulk-in or (2) interrupt-in     endpoint (bnc#968670).

  - CVE-2015-8816: The hub_activate function in     drivers/usb/core/hub.c in the Linux kernel did not     properly maintain a hub-interface data structure, which     allowed physically proximate attackers to cause a denial     of service (invalid memory access and system crash) or     possibly have unspecified other impact by unplugging a     USB hub device (bnc#968010).

  - CVE-2015-7566: The clie_5_attach function in     drivers/usb/serial/visor.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) or     possibly have unspecified other impact by inserting a     USB device that lacks a bulk-out endpoint (bnc#961512).

  - CVE-2016-2549: sound/core/hrtimer.c in the Linux kernel     did not prevent recursive callback access, which allowed     local users to cause a denial of service (deadlock) via     a crafted ioctl call (bnc#968013).

  - CVE-2016-2547: sound/core/timer.c in the Linux kernel     employs a locking approach that did not consider slave     timer instances, which allowed local users to cause a     denial of service (race condition, use-after-free, and     system crash) via a crafted ioctl call (bnc#968011).

  - CVE-2016-2548: sound/core/timer.c in the Linux kernel     retains certain linked lists after a close or stop     action, which allowed local users to cause a denial of     service (system crash) via a crafted ioctl call, related     to the (1) snd_timer_close and (2) _snd_timer_stop     functions (bnc#968012).

  - CVE-2016-2546: sound/core/timer.c in the Linux kernel     uses an incorrect type of mutex, which allowed local     users to cause a denial of service (race condition,     use-after-free, and system crash) via a crafted ioctl     call (bnc#967975).

  - CVE-2016-2545: The snd_timer_interrupt function in     sound/core/timer.c in the Linux kernel did not properly     maintain a certain linked list, which allowed local     users to cause a denial of service (race condition and     system crash) via a crafted ioctl call (bnc#967974).

  - CVE-2016-2544: Race condition in the queue_delete     function in sound/core/seq/seq_queue.c in the Linux     kernel allowed local users to cause a denial of service     (use-after-free and system crash) by making an ioctl     call at a certain time (bnc#967973).

  - CVE-2016-2543: The snd_seq_ioctl_remove_events function     in sound/core/seq/seq_clientmgr.c in the Linux kernel     did not verify FIFO assignment before proceeding with     FIFO clearing, which allowed local users to cause a     denial of service (NULL pointer dereference and OOPS)     via a crafted ioctl call (bnc#967972).

  - CVE-2015-8709: ** DISPUTED ** kernel/ptrace.c in the     Linux kernel mishandles uid and gid mappings, which     allowed local users to gain privileges by establishing a     user namespace, waiting for a root process to enter that     namespace with an unsafe uid or gid, and then using the     ptrace system call. NOTE: the vendor states 'there is no     kernel bug here (bnc#959709 960561 ).

  - CVE-2015-8812: drivers/infiniband/hw/cxgb3/iwch_cm.c in     the Linux kernel did not properly identify error     conditions, which allowed remote attackers to execute     arbitrary code or cause a denial of service     (use-after-free) via crafted packets (bnc#966437).

  - CVE-2016-2384: Double free vulnerability in the     snd_usbmidi_create function in sound/usb/midi.c in the     Linux kernel allowed physically proximate attackers to     cause a denial of service (panic) or possibly have     unspecified other impact via vectors involving an     invalid USB descriptor (bnc#966693).

  - CVE-2015-8785: The fuse_fill_write_pages function in     fs/fuse/file.c in the Linux kernel allowed local users     to cause a denial of service (infinite loop) via a     writev system call that triggers a zero length for the     first segment of an iov (bnc#963765).

  - CVE-2014-9904: The snd_compress_check_input function in     sound/core/compress_offload.c in the ALSA subsystem in     the Linux kernel did not properly check for an integer     overflow, which allowed local users to cause a denial of     service (insufficient memory allocation) or possibly     have unspecified other impact via a crafted     SNDRV_COMPRESS_SET_PARAMS ioctl call (bnc#986811).

  - CVE-2016-5829: Multiple heap-based buffer overflows in     the hiddev_ioctl_usage function in     drivers/hid/usbhid/hiddev.c in the Linux kernel allow     local users to cause a denial of service or possibly     have unspecified other impact via a crafted (1)     HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call     (bnc#986572 986573).

  - CVE-2016-4997: The compat IPT_SO_SET_REPLACE setsockopt     implementation in the netfilter subsystem in the Linux     kernel allowed local users to gain privileges or cause a     denial of service (memory corruption) by leveraging     in-container root access to provide a crafted offset     value that triggers an unintended decrement (bnc#986362     986365 986377).

  - CVE-2016-4805: Use-after-free vulnerability in     drivers/net/ppp/ppp_generic.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption and system crash, or spinlock) or possibly     have unspecified other impact by removing a network     namespace, related to the ppp_register_net_channel and     ppp_unregister_channel functions (bnc#980371).

  - CVE-2016-4470: The key_reject_and_link function in     security/keys/key.c in the Linux kernel did not ensure     that a certain data structure is initialized, which     allowed local users to cause a denial of service (system     crash) via vectors involving a crafted keyctl request2     command (bnc#984755 984764).

  - CVE-2015-6526: The perf_callchain_user_64 function in     arch/powerpc/perf/callchain.c in the Linux kernel on     ppc64 platforms allowed local users to cause a denial of     service (infinite loop) via a deep 64-bit userspace     backtrace (bnc#942702).

  - CVE-2016-5244: The rds_inc_info_copy function in     net/rds/recv.c in the Linux kernel did not initialize a     certain structure member, which allowed remote attackers     to obtain sensitive information from kernel stack memory     by reading an RDS message (bnc#983213).

The following non-security bugs were fixed :

  - ALSA: hrtimer: Handle start/stop more properly     (bsc#973378).

  - ALSA: pcm: Fix potential deadlock in OSS emulation     (bsc#968018).

  - ALSA: rawmidi: Fix race at copying & updating the     position (bsc#968018).

  - ALSA: rawmidi: Make snd_rawmidi_transmit() race-free     (bsc#968018).

  - ALSA: seq: Fix double port list deletion (bsc#968018).

  - ALSA: seq: Fix incorrect sanity check at     snd_seq_oss_synth_cleanup() (bsc#968018).

  - ALSA: seq: Fix leak of pool buffer at concurrent writes     (bsc#968018).

  - ALSA: seq: Fix lockdep warnings due to double mutex     locks (bsc#968018).

  - ALSA: seq: Fix race at closing in virmidi driver     (bsc#968018).

  - ALSA: seq: Fix yet another races among ALSA timer     accesses (bsc#968018).

  - ALSA: timer: Call notifier in the same spinlock     (bsc#973378).

  - ALSA: timer: Code cleanup (bsc#968018).

  - ALSA: timer: Fix leftover link at closing (bsc#968018).

  - ALSA: timer: Fix link corruption due to double start or     stop (bsc#968018).

  - ALSA: timer: Fix race between stop and interrupt     (bsc#968018).

  - ALSA: timer: Fix wrong instance passed to slave     callbacks (bsc#968018).

  - ALSA: timer: Protect the whole snd_timer_close() with     open race (bsc#973378).

  - ALSA: timer: Sync timer deletion at closing the system     timer (bsc#973378).

  - ALSA: timer: Use mod_timer() for rearming the system     timer (bsc#973378).

  - Bluetooth: vhci: Fix race at creating hci device     (bsc#971799,bsc#966849).

  - Bluetooth: vhci: fix open_timeout vs. hdev race     (bsc#971799,bsc#966849).

  - Bluetooth: vhci: purge unhandled skbs     (bsc#971799,bsc#966849).

  - Btrfs: do not use src fd for printk (bsc#980348).

  - Refresh     patches.drivers/ALSA-hrtimer-Handle-start-stop-more-prop     erly. Fix the build error on 32bit architectures.

  - Refresh patches.xen/xen-netback-coalesce: Restore     copying of SKBs with head exceeding page size     (bsc#978469).

  - Refresh patches.xen/xen3-patch-3.14: Suppress atomic     file position updates on /proc/xen/xenbus (bsc#970275).

  - Subject: [PATCH] USB: xhci: Add broken streams quirk for     Frescologic device id 1009 (bnc#982706).

  - USB: usbip: fix potential out-of-bounds write     (bnc#975945).

  - af_unix: Guard against other == sk in unix_dgram_sendmsg     (bsc#973570).

  - backends: guarantee one time reads of shared ring     contents (bsc#957988).

  - btrfs: do not go readonly on existing qgroup items     (bsc#957052).

  - btrfs: remove error message from search ioctl for     nonexistent tree.

  - drm/i915: Fix missing backlight update during panel     disablement (bsc#941113 boo#901754).

  - enic: set netdev->vlan_features (bsc#966245).

  - ext4: fix races between buffered IO and collapse /     insert range (bsc#972174).

  - ext4: fix races between page faults and hole punching     (bsc#972174).

  - ext4: fix races of writeback with punch hole and zero     range (bsc#972174).

  - ext4: move unlocked dio protection from     ext4_alloc_file_blocks() (bsc#972174).

  - ipv4/fib: do not warn when primary address is missing if     in_dev is dead (bsc#971360).

  - ipvs: count pre-established TCP states as active     (bsc#970114).

  - net: core: Correct an over-stringent device loop     detection (bsc#945219).

  - netback: do not use last request to determine minimum Tx     credit (bsc#957988).

  - pciback: Check PF instead of VF for PCI_COMMAND_MEMORY.

  - pciback: Save the number of MSI-X entries to be copied     later.

  - pciback: guarantee one time reads of shared ring     contents (bsc#957988).

  - series.conf: move cxgb3 patch to network drivers section

  - usb: quirk to stop runtime PM for Intel 7260     (bnc#984464).

  - x86: standardize mmap_rnd() usage (bnc#974308).

It was discovered that the Linux kernel did not properly enforce rlimits for file descriptors sent over UNIX domain sockets. A local attacker could use this to cause a denial of service. (CVE-2013-4312)

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7515)

Ralf Spenneberg discovered that the USB driver for Clie devices in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7566)

Ralf Spenneberg discovered that the usbvision driver in the Linux kernel did not properly sanity check the interfaces and endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7833)

It was discovered that a race condition existed when handling heartbeat- timeout events in the SCTP implementation of the Linux kernel. A remote attacker could use this to cause a denial of service.
(CVE-2015-8767)

Venkatesh Pottem discovered a use-after-free vulnerability in the Linux kernel's CXGB3 driver. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2015-8812)

It was discovered that a race condition existed in the ioctl handler for the TTY driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2016-0723)

It was discovered that the Linux kernel did not keep accurate track of pipe buffer details when error conditions occurred, due to an incomplete fix for CVE-2015-1805. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-0774)

Zach Riggle discovered that the Linux kernel's list poison feature did not take into account the mmap_min_addr value. A local attacker could use this to bypass the kernel's poison-pointer protection mechanism while attempting to exploit an existing kernel vulnerability.
(CVE-2016-0821)

Andy Lutomirski discovered a race condition in the Linux kernel's translation lookaside buffer (TLB) handling of flush events. A local attacker could use this to cause a denial of service or possibly leak sensitive information. (CVE-2016-2069)

Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA) framework did not verify that a FIFO was attached to a client before attempting to clear it. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-2543)

Dmitry Vyukov discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) framework between timer setup and closing of the client, resulting in a use-after-free. A local attacker could use this to cause a denial of service. (CVE-2016-2544)

Dmitry Vyukov discovered a race condition in the timer handling implementation of the Advanced Linux Sound Architecture (ALSA) framework, resulting in a use-after-free. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-2545)

Dmitry Vyukov discovered race conditions in the Advanced Linux Sound Architecture (ALSA) framework's timer ioctls leading to a use-after-free. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-2546)

Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA) framework's handling of high resolution timers did not properly manage its data structures. A local attacker could use this to cause a denial of service (system hang or crash) or possibly execute arbitrary code. (CVE-2016-2547, CVE-2016-2548)

Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA) framework's handling of high resolution timers could lead to a deadlock condition. A local attacker could use this to cause a denial of service (system hang). (CVE-2016-2549)

Ralf Spenneberg discovered that the USB driver for Treo devices in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2016-2782)

It was discovered that the Linux kernel did not enforce limits on the amount of data allocated to buffer pipes. A local attacker could use this to cause a denial of service (resource exhaustion).
(CVE-2016-2847).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2013-7446: Use-after-free vulnerability in     net/unix/af_unix.c in the Linux kernel allowed local     users to bypass intended AF_UNIX socket permissions or     cause a denial of service (panic) via crafted epoll_ctl     calls (bnc#955654).

  - CVE-2015-7509: fs/ext4/namei.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (system crash) via a crafted no-journal     filesystem, a related issue to CVE-2013-2015     (bnc#956707).

  - CVE-2015-7515: An out of bounds memory access in the     aiptek USB driver could be used by physical local     attackers to crash the kernel (bnc#956708).

  - CVE-2015-7550: The keyctl_read_key function in     security/keys/keyctl.c in the Linux kernel did not     properly use a semaphore, which allowed local users to     cause a denial of service (NULL pointer dereference and     system crash) or possibly have unspecified other impact     via a crafted application that leverages a race     condition between keyctl_revoke and keyctl_read calls     (bnc#958951).

  - CVE-2015-7566: A malicious USB device could cause kernel     crashes in the visor device driver (bnc#961512).

  - CVE-2015-7799: The slhc_init function in     drivers/net/slip/slhc.c in the Linux kernel did not     ensure that certain slot numbers are valid, which     allowed local users to cause a denial of service (NULL     pointer dereference and system crash) via a crafted     PPPIOCSMAXCID ioctl call (bnc#949936).

  - CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in     the Linux kernel did not validate attempted changes to     the MTU value, which allowed context-dependent attackers     to cause a denial of service (packet loss) via a value     that is (1) smaller than the minimum compliant value or     (2) larger than the MTU of an interface, as demonstrated     by a Router Advertisement (RA) message that is not     validated by a daemon, a different vulnerability than     CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is     limited to the NetworkManager product (bnc#955354).

  - CVE-2015-8539: The KEYS subsystem in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (BUG) via crafted keyctl commands that     negatively instantiate a key, related to     security/keys/encrypted-keys/encrypted.c,     security/keys/trusted.c, and     security/keys/user_defined.c (bnc#958463).

  - CVE-2015-8543: The networking implementation in the     Linux kernel did not validate protocol identifiers for     certain protocol families, which allowed local users to     cause a denial of service (NULL function pointer     dereference and system crash) or possibly gain     privileges by leveraging CLONE_NEWUSER support to     execute a crafted SOCK_RAW application (bnc#958886).

  - CVE-2015-8550: Optimizations introduced by the compiler     could have lead to double fetch vulnerabilities,     potentially possibly leading to arbitrary code execution     in backend (bsc#957988). (bsc#957988 XSA-155).

  - CVE-2015-8551: The PCI backend driver in Xen, when     running on an x86 system and using Linux as the driver     domain, allowed local guest administrators to hit BUG     conditions and cause a denial of service (NULL pointer     dereference and host OS crash) by leveraging a system     with access to a passed-through MSI or MSI-X capable     physical PCI device and a crafted sequence of     XEN_PCI_OP_* operations, aka 'Linux pciback missing     sanity checks (bnc#957990).

  - CVE-2015-8552: The PCI backend driver in Xen, when     running on an x86 system and using Linux as the driver     domain, allowed local guest administrators to generate a     continuous stream of WARN messages and cause a denial of     service (disk consumption) by leveraging a system with     access to a passed-through MSI or MSI-X capable physical     PCI device and XEN_PCI_OP_enable_msi operations, aka     'Linux pciback missing sanity checks (bnc#957990).

  - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect     functions in drivers/net/ppp/pptp.c in the Linux kernel     do not verify an address length, which allowed local     users to obtain sensitive information from kernel memory     and bypass the KASLR protection mechanism via a crafted     application (bnc#959190).

  - CVE-2015-8575: The sco_sock_bind function in     net/bluetooth/sco.c in the Linux kernel did not verify     an address length, which allowed local users to obtain     sensitive information from kernel memory and bypass the     KASLR protection mechanism via a crafted application     (bnc#959399).

  - CVE-2015-8767: net/sctp/sm_sideeffect.c in the Linux     kernel did not properly manage the relationship between     a lock and a socket, which allowed local users to cause     a denial of service (deadlock) via a crafted sctp_accept     call (bnc#961509).

  - CVE-2015-8785: The fuse_fill_write_pages function in     fs/fuse/file.c in the Linux kernel allowed local users     to cause a denial of service (infinite loop) via a     writev system call that triggers a zero length for the     first segment of an iov (bnc#963765).

  - CVE-2015-8812: A flaw was found in the CXGB3 kernel     driver when the network was considered congested. The     kernel would incorrectly misinterpret the congestion as     an error condition and incorrectly free/clean up the     skb. When the device would then send the skb's queued,     these structures would be referenced and may panic the     system or allow an attacker to escalate privileges in a     use-after-free scenario.(bsc#966437).

  - CVE-2015-8816: A malicious USB device could cause kernel     crashes in the in hub_activate() function (bnc#968010).

  - CVE-2016-0723: Race condition in the tty_ioctl function     in drivers/tty/tty_io.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory or cause a denial of service (use-after-free and     system crash) by making a TIOCGETD ioctl call during     processing of a TIOCSETD ioctl call (bnc#961500).

  - CVE-2016-2069: A race in invalidating paging structures     that were not in use locally could have lead to     disclosoure of information or arbitrary code exectution     (bnc#963767).

  - CVE-2016-2143: On zSeries a fork of a large process     could have caused memory corruption due to incorrect     page table handling. (bnc#970504, LTC#138810).

  - CVE-2016-2184: A malicious USB device could cause kernel     crashes in the alsa usb-audio device driver     (bsc#971125).

  - CVE-2016-2185: A malicious USB device could cause kernel     crashes in the usb_driver_claim_interface function     (bnc#971124).

  - CVE-2016-2186: A malicious USB device could cause kernel     crashes in the powermate device driver (bnc#970958).

  - CVE-2016-2384: A double free on the ALSA umidi object     was fixed. (bsc#966693).

  - CVE-2016-2543: A missing NULL check at remove_events     ioctl in the ALSA seq driver was fixed. (bsc#967972).

  - CVE-2016-2544: Fix race at timer setup and close in the     ALSA seq driver was fixed. (bsc#967973).

  - CVE-2016-2545: A double unlink of active_list in the     ALSA timer driver was fixed. (bsc#967974).

  - CVE-2016-2546: A race among ALSA timer ioctls was fixed     (bsc#967975).

  - CVE-2016-2547,CVE-2016-2548: The ALSA slave timer list     handling was hardened against hangs and races.
    (CVE-2016-2547,CVE-2016-2548,bsc#968011,bsc#968012).

  - CVE-2016-2549: A stall in ALSA hrtimer handling was     fixed (bsc#968013).

  - CVE-2016-2782: A malicious USB device could cause kernel     crashes in the visor device driver (bnc#968670).

  - CVE-2016-3137: A malicious USB device could cause kernel     crashes in the cypress_m8 device driver (bnc#970970).

  - CVE-2016-3139: A malicious USB device could cause kernel     crashes in the wacom device driver (bnc#970909).

  - CVE-2016-3140: A malicious USB device could cause kernel     crashes in the digi_acceleport device driver     (bnc#970892).

  - CVE-2016-3156: A quadratic algorithm could lead to long     kernel ipv4 hangs when removing a device with a large     number of addresses. (bsc#971360).

  - CVE-2016-3955: A remote buffer overflow in the usbip     driver could be used by authenticated attackers to crash     the kernel. (bsc#975945)

  - CVE-2016-2847: A local user could exhaust kernel memory     by pushing lots of data into pipes. (bsc#970948).

  - CVE-2016-2188: A malicious USB device could cause kernel     crashes in the iowarrior device driver (bnc#970956).

  - CVE-2016-3138: A malicious USB device could cause kernel     crashes in the cdc-acm device driver (bnc#970911).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes.

Following feature was added to kernel-xen :

  - A improved XEN blkfront module was added, which allows     more I/O bandwidth. (FATE#320200) It is called     xen-blkfront in PV, and xen-vbd-upstream in HVM mode.

The following security bugs were fixed :

  - CVE-2013-7446: Use-after-free vulnerability in     net/unix/af_unix.c in the Linux kernel allowed local     users to bypass intended AF_UNIX socket permissions or     cause a denial of service (panic) via crafted epoll_ctl     calls (bnc#955654).

  - CVE-2015-7515: An out of bounds memory access in the     aiptek USB driver could be used by physical local     attackers to crash the kernel (bnc#956708).

  - CVE-2015-7550: The keyctl_read_key function in     security/keys/keyctl.c in the Linux kernel did not     properly use a semaphore, which allowed local users to     cause a denial of service (NULL pointer dereference and     system crash) or possibly have unspecified other impact     via a crafted application that leverages a race     condition between keyctl_revoke and keyctl_read calls     (bnc#958951).

  - CVE-2015-8539: The KEYS subsystem in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (BUG) via crafted keyctl commands that     negatively instantiate a key, related to     security/keys/encrypted-keys/encrypted.c,     security/keys/trusted.c, and     security/keys/user_defined.c (bnc#958463).

  - CVE-2015-8543: The networking implementation in the     Linux kernel did not validate protocol identifiers for     certain protocol families, which allowed local users to     cause a denial of service (NULL function pointer     dereference and system crash) or possibly gain     privileges by leveraging CLONE_NEWUSER support to     execute a crafted SOCK_RAW application (bnc#958886).

  - CVE-2015-8550: Compiler optimizations in the XEN PV     backend drivers could have lead to double fetch     vulnerabilities, causing denial of service or arbitrary     code execution (depending on the configuration)     (bsc#957988).

  - CVE-2015-8551, CVE-2015-8552: xen/pciback: For     XEN_PCI_OP_disable_msi[|x] only disable if device has     MSI(X) enabled (bsc#957990).

  - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect     functions in drivers/net/ppp/pptp.c in the Linux kernel     did not verify an address length, which allowed local     users to obtain sensitive information from kernel memory     and bypass the KASLR protection mechanism via a crafted     application (bnc#959190).

  - CVE-2015-8575: The sco_sock_bind function in     net/bluetooth/sco.c in the Linux kernel did not verify     an address length, which allowed local users to obtain     sensitive information from kernel memory and bypass the     KASLR protection mechanism via a crafted application     (bnc#959190 bnc#959399).

  - CVE-2015-8767: net/sctp/sm_sideeffect.c in the Linux     kernel did not properly manage the relationship between     a lock and a socket, which allowed local users to cause     a denial of service (deadlock) via a crafted sctp_accept     call (bnc#961509).

  - CVE-2015-8785: The fuse_fill_write_pages function in     fs/fuse/file.c in the Linux kernel allowed local users     to cause a denial of service (infinite loop) via a     writev system call that triggers a zero length for the     first segment of an iov (bnc#963765).

  - CVE-2015-8812: A use-after-free flaw was found in the     CXGB3 kernel driver when the network was considered to     be congested. This could be used by local attackers to     cause machine crashes or potentially code execution     (bsc#966437).

  - CVE-2016-0723: Race condition in the tty_ioctl function     in drivers/tty/tty_io.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory or cause a denial of service (use-after-free and     system crash) by making a TIOCGETD ioctl call during     processing of a TIOCSETD ioctl call (bnc#961500).

  - CVE-2016-2069: Race conditions in TLB syncing was fixed     which could leak to information leaks (bnc#963767).

  - CVE-2016-2384: Removed a double free in the ALSA     usb-audio driver in the umidi object which could lead to     crashes (bsc#966693).

  - CVE-2016-2543: Added a missing NULL check at     remove_events ioctl in ALSA that could lead to crashes.
    (bsc#967972).

  - CVE-2016-2544, CVE-2016-2545, CVE-2016-2546,     CVE-2016-2547, CVE-2016-2548, CVE-2016-2549: Various     race conditions in ALSAs timer handling were fixed.
    (bsc#967975, bsc#967974, bsc#967973, bsc#968011,     bsc#968012, bsc#968013).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ben Hawkes discovered that the Linux netfilter implementation did not correctly perform validation when handling IPT_SO_SET_REPLACE events.
A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-3134)

It was discovered that the Linux kernel did not properly enforce rlimits for file descriptors sent over UNIX domain sockets. A local attacker could use this to cause a denial of service. (CVE-2013-4312)

Ralf Spenneberg discovered that the USB driver for Clie devices in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7566)

Ralf Spenneberg discovered that the usbvision driver in the Linux kernel did not properly sanity check the interfaces and endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7833)

It was discovered that a race condition existed when handling heartbeat- timeout events in the SCTP implementation of the Linux kernel. A remote attacker could use this to cause a denial of service.
(CVE-2015-8767)

It was discovered that a race condition existed in the ioctl handler for the TTY driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2016-0723)

Andy Lutomirski discovered a race condition in the Linux kernel's translation lookaside buffer (TLB) handling of flush events. A local attacker could use this to cause a denial of service or possibly leak sensitive information. (CVE-2016-2069)

Andrey Konovalov discovered that the ALSA USB MIDI driver incorrectly performed a double-free. A local attacker with physical access could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-2384)

Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA) framework did not verify that a FIFO was attached to a client before attempting to clear it. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-2543)

Dmitry Vyukov discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) framework between timer setup and closing of the client, resulting in a use-after-free. A local attacker could use this to cause a denial of service. (CVE-2016-2544)

Dmitry Vyukov discovered a race condition in the timer handling implementation of the Advanced Linux Sound Architecture (ALSA) framework, resulting in a use-after-free. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-2545)

Dmitry Vyukov discovered race conditions in the Advanced Linux Sound Architecture (ALSA) framework's timer ioctls leading to a use-after-free. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-2546)

Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA) framework's handling of high resolution timers did not properly manage its data structures. A local attacker could use this to cause a denial of service (system hang or crash) or possibly execute arbitrary code. (CVE-2016-2547, CVE-2016-2548)

Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA) framework's handling of high resolution timers could lead to a deadlock condition. A local attacker could use this to cause a denial of service (system hang). (CVE-2016-2549)

Ralf Spenneberg discovered that the USB driver for Treo devices in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2016-2782).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ben Hawkes discovered that the Linux netfilter implementation did not correctly perform validation when handling IPT_SO_SET_REPLACE events.
A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-3134)

It was discovered that the Linux kernel did not properly enforce rlimits for file descriptors sent over UNIX domain sockets. A local attacker could use this to cause a denial of service. (CVE-2013-4312)

It was discovered that a race condition existed when handling heartbeat- timeout events in the SCTP implementation of the Linux kernel. A remote attacker could use this to cause a denial of service.
(CVE-2015-8767)

Andy Lutomirski discovered a race condition in the Linux kernel's translation lookaside buffer (TLB) handling of flush events. A local attacker could use this to cause a denial of service or possibly leak sensitive information. (CVE-2016-2069)

Andrey Konovalov discovered that the ALSA USB MIDI driver incorrectly performed a double-free. A local attacker with physical access could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-2384)

Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA) framework did not verify that a FIFO was attached to a client before attempting to clear it. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-2543)

Dmitry Vyukov discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) framework between timer setup and closing of the client, resulting in a use-after-free. A local attacker could use this to cause a denial of service. (CVE-2016-2544)

Dmitry Vyukov discovered a race condition in the timer handling implementation of the Advanced Linux Sound Architecture (ALSA) framework, resulting in a use-after-free. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-2545)

Dmitry Vyukov discovered race conditions in the Advanced Linux Sound Architecture (ALSA) framework's timer ioctls leading to a use-after-free. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-2546)

Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA) framework's handling of high resolution timers did not properly manage its data structures. A local attacker could use this to cause a denial of service (system hang or crash) or possibly execute arbitrary code. (CVE-2016-2547, CVE-2016-2548)

Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA) framework's handling of high resolution timers could lead to a deadlock condition. A local attacker could use this to cause a denial of service (system hang). (CVE-2016-2549).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ben Hawkes discovered that the Linux netfilter implementation did not correctly perform validation when handling IPT_SO_SET_REPLACE events.
A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-3134)

It was discovered that the Linux kernel did not properly enforce rlimits for file descriptors sent over UNIX domain sockets. A local attacker could use this to cause a denial of service. (CVE-2013-4312)

Ralf Spenneberg discovered that the USB driver for Clie devices in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7566)

Ralf Spenneberg discovered that the usbvision driver in the Linux kernel did not properly sanity check the interfaces and endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7833)

It was discovered that a race condition existed in the ioctl handler for the TTY driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2016-0723)

Andrey Konovalov discovered that the ALSA USB MIDI driver incorrectly performed a double-free. A local attacker with physical access could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-2384)

Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA) framework did not verify that a FIFO was attached to a client before attempting to clear it. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-2543)

Dmitry Vyukov discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) framework between timer setup and closing of the client, resulting in a use-after-free. A local attacker could use this to cause a denial of service. (CVE-2016-2544)

Dmitry Vyukov discovered a race condition in the timer handling implementation of the Advanced Linux Sound Architecture (ALSA) framework, resulting in a use-after-free. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-2545)

Dmitry Vyukov discovered race conditions in the Advanced Linux Sound Architecture (ALSA) framework's timer ioctls leading to a use-after-free. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-2546)

Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA) framework's handling of high resolution timers did not properly manage its data structures. A local attacker could use this to cause a denial of service (system hang or crash) or possibly execute arbitrary code. (CVE-2016-2547, CVE-2016-2548)

Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA) framework's handling of high resolution timers could lead to a deadlock condition. A local attacker could use this to cause a denial of service (system hang). (CVE-2016-2549)

Ralf Spenneberg discovered that the USB driver for Treo devices in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2016-2782).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, information leak or data loss.

  - CVE-2013-4312, CVE-2016-2847     Tetsuo Handa discovered that users can use pipes queued     on local (Unix) sockets to allocate an unfair share of     kernel memory, leading to denial-of-service (resource     exhaustion).

  This issue was previously mitigated for the stable suite by limiting   the total number of files queued by each user on local sockets. The   new kernel version in both suites includes that mitigation plus   limits on the total size of pipe buffers allocated for each user.

  - CVE-2015-7566     Ralf Spenneberg of OpenSource Security reported that the     visor driver crashes when a specially crafted USB device     without bulk-out endpoint is detected.

  - CVE-2015-8767     An SCTP denial-of-service was discovered which can be     triggered by a local attacker during a heartbeat timeout     event after the 4-way handshake.

  - CVE-2015-8785     It was discovered that local users permitted to write to     a file on a FUSE filesystem could cause a denial of     service (unkillable loop in the kernel).

  - CVE-2015-8812     A flaw was found in the iw_cxgb3 Infiniband driver.
    Whenever it could not send a packet because the network     was congested, it would free the packet buffer but later     attempt to send the packet again. This use-after-free     could result in a denial of service (crash or hang),     data loss or privilege escalation.

  - CVE-2015-8816     A use-after-free vulnerability was discovered in the USB     hub driver. This may be used by a physically present     user for privilege escalation.

  - CVE-2015-8830     Ben Hawkes of Google Project Zero reported that the AIO     interface permitted reading or writing 2 GiB of data or     more in a single chunk, which could lead to an integer     overflow when applied to certain filesystems, socket or     device types. The full security impact has not been     evaluated.

  - CVE-2016-0723     A use-after-free vulnerability was discovered in the     TIOCGETD ioctl. A local attacker could use this flaw for     denial-of-service.

  - CVE-2016-0774     It was found that the fix for CVE-2015-1805 in kernel     versions older than Linux 3.16 did not correctly handle     the case of a partially failed atomic read. A local,     unprivileged user could use this flaw to crash the     system or leak kernel memory to user space.

  - CVE-2016-2069     Andy Lutomirski discovered a race condition in flushing     of the TLB when switching tasks on an x86 system. On an     SMP system this could possibly lead to a crash,     information leak or privilege escalation.

  - CVE-2016-2384     Andrey Konovalov found that a crafted USB MIDI device     with an invalid USB descriptor could trigger a     double-free. This may be used by a physically present     user for privilege escalation.

  - CVE-2016-2543     Dmitry Vyukov found that the core sound sequencer driver     (snd-seq) lacked a necessary check for a NULL pointer,     allowing a user with access to a sound sequencer device     to cause a denial-of service (crash).

  - CVE-2016-2544, CVE-2016-2546, CVE-2016-2547,     CVE-2016-2548

    Dmitry Vyukov found various race conditions in the sound     subsystem (ALSA)'s management of timers. A user with     access to sound devices could use these to cause a     denial-of-service (crash or hang) or possibly for     privilege escalation.

  - CVE-2016-2545     Dmitry Vyukov found a flaw in list manipulation in the     sound subsystem (ALSA)'s management of timers. A user     with access to sound devices could use this to cause a     denial-of-service (crash or hang) or possibly for     privilege escalation.

  - CVE-2016-2549     Dmitry Vyukov found a potential deadlock in the sound     subsystem (ALSA)'s use of high resolution timers. A user     with access to sound devices could use this to cause a     denial-of-service (hang).

  - CVE-2016-2550     The original mitigation of CVE-2013-4312, limiting the     total number of files a user could queue on local     sockets, was flawed. A user given a local socket opened     by another user, for example through the systemd socket     activation mechanism, could make use of the other user's     quota, again leading to a denial-of-service (resource     exhaustion). This is fixed by accounting queued files to     the sender rather than the socket opener.

ID	Name	Product	Family	Severity
124837	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1516)	Nessus	Huawei Local Security Checks	critical
124816	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1492)	Nessus	Huawei Local Security Checks	critical
111022	OracleVM 3.3 : Unbreakable / etc (OVMSA-2018-0237)	Nessus	OracleVM Local Security Checks	high
110998	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4164)	Nessus	Oracle Linux Local Security Checks	high
110585	Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2018-4145)	Nessus	Oracle Linux Local Security Checks	medium
110583	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4134)	Nessus	Oracle Linux Local Security Checks	medium
110581	OracleVM 3.3 : Unbreakable / etc (OVMSA-2018-0231)	Nessus	OracleVM Local Security Checks	medium
93289	SUSE SLES11 Security Update : kernel (SUSE-SU-2016:2074-1)	Nessus	SuSE Local Security Checks	critical
93104	openSUSE Security Update : the Linux Kernel (openSUSE-2016-1015)	Nessus	SuSE Local Security Checks	critical
91087	Ubuntu 12.04 LTS : linux vulnerabilities (USN-2967-1)	Nessus	Ubuntu Local Security Checks	critical
90884	SUSE SLES11 Security Update : kernel (SUSE-SU-2016:1203-1)	Nessus	SuSE Local Security Checks	critical
90264	SUSE SLED11 / SLES11 Security Update : kernel (SUSE-SU-2016:0911-1)	Nessus	SuSE Local Security Checks	critical
89937	Ubuntu 14.04 LTS : linux-lts-vivid vulnerabilities (USN-2932-1)	Nessus	Ubuntu Local Security Checks	high
89936	Ubuntu 14.04 LTS : linux-lts-utopic vulnerabilities (USN-2931-1)	Nessus	Ubuntu Local Security Checks	high
89933	Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-2929-2)	Nessus	Ubuntu Local Security Checks	high
89932	Ubuntu 14.04 LTS : linux vulnerabilities (USN-2929-1)	Nessus	Ubuntu Local Security Checks	high
89122	Debian DSA-3503-1 : linux - security update	Nessus	Debian Local Security Checks	critical

CVE-2016-2549

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins