openSUSE Security Update : kernel (openSUSE-SU-2014:0985-1)

This script is Copyright (C) 2014-2016 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

The Linux kernel was updated to fix security issues and bugs :

Security issues fixed: CVE-2014-4699: The Linux kernel on Intel
processors did not properly restrict use of a non-canonical value for
the saved RIP address in the case of a system call that does not use
IRET, which allowed local users to leverage a race condition and gain
privileges, or cause a denial of service (double fault), via a crafted
application that makes ptrace and fork system calls.

CVE-2014-4667: The sctp_association_free function in
net/sctp/associola.c in the Linux kernel did not properly manage a
certain backlog value, which allowed remote attackers to cause a
denial of service (socket outage) via a crafted SCTP packet.

CVE-2014-4171: mm/shmem.c in the Linux kernel did not properly
implement the interaction between range notification and hole
punching, which allowed local users to cause a denial of service
(i_mutex hold) by using the mmap system call to access a hole, as
demonstrated by interfering with intended shmem activity by blocking
completion of (1) an MADV_REMOVE madvise call or (2) an
FALLOC_FL_PUNCH_HOLE fallocate call.

CVE-2014-4508: arch/x86/kernel/entry_32.S in the Linux kernel on
32-bit x86 platforms, when syscall auditing is enabled and the sep CPU
feature flag is set, allowed local users to cause a denial of service
(OOPS and system crash) via an invalid syscall number, as demonstrated
by number 1000.

CVE-2014-0100: Race condition in the inet_frag_intern function in
net/ipv4/inet_fragment.c in the Linux kernel allowed remote attackers
to cause a denial of service (use-after-free error) or possibly have
unspecified other impact via a large series of fragmented ICMP Echo
Request packets to a system with a heavy CPU load.

CVE-2014-4656: Multiple integer overflows in sound/core/control.c in
the ALSA control implementation in the Linux kernel allowed local
users to cause a denial of service by leveraging /dev/snd/controlCX
access, related to (1) index values in the snd_ctl_add function and
(2) numid values in the snd_ctl_remove_numid_conflict function.

CVE-2014-4655: The snd_ctl_elem_add function in sound/core/control.c
in the ALSA control implementation in the Linux kernel did not
properly maintain the user_ctl_count value, which allowed local users
to cause a denial of service (integer overflow and limit bypass) by
leveraging /dev/snd/controlCX access for a large number of
SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls.

CVE-2014-4654: The snd_ctl_elem_add function in sound/core/control.c
in the ALSA control implementation in the Linux kernel did not check
authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allowed
local users to remove kernel controls and cause a denial of service
(use-after-free and system crash) by leveraging /dev/snd/controlCX
access for an ioctl call.

CVE-2014-4653: sound/core/control.c in the ALSA control implementation
in the Linux kernel did not ensure possession of a read/write lock,
which allowed local users to cause a denial of service
(use-after-free) and obtain sensitive information from kernel memory
by leveraging /dev/snd/controlCX access.

CVE-2014-4652: Race condition in the tlv handler functionality in the
snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA
control implementation in the Linux kernel allowed local users to
obtain sensitive information from kernel memory by leveraging
/dev/snd/controlCX access.

CVE-2014-4014: The capabilities implementation in the Linux kernel did
not properly consider that namespaces are inapplicable to inodes,
which allowed local users to bypass intended chmod restrictions by
first creating a user namespace, as demonstrated by setting the setgid
bit on a file with group ownership of root.

CVE-2014-2309: The ip6_route_add function in net/ipv6/route.c in the
Linux kernel did not properly count the addition of routes, which
allowed remote attackers to cause a denial of service (memory
consumption) via a flood of ICMPv6 Router Advertisement packets.

CVE-2014-3917: kernel/auditsc.c in the Linux kernel, when
CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allowed
local users to obtain potentially sensitive single-bit values from
kernel memory or cause a denial of service (OOPS) via a large value of
a syscall number.

CVE-2014-0131: Use-after-free vulnerability in the skb_segment
function in net/core/skbuff.c in the Linux kernel allowed attackers to
obtain sensitive information from kernel memory by leveraging the
absence of a certain orphaning operation.

Bugs fixed :

- Don't trigger congestion wait on dirty-but-not-writeout
pages (bnc#879071).

- via-velocity: fix netif_receive_skb use in irq disabled
section (bnc#851686).

- HID: logitech-dj: Fix USB 3.0 issue (bnc#886629).

- tg3: Change nvram command timeout value to 50ms
(bnc#768714 bnc#855657).

- tg3: Override clock, link aware and link idle mode
during NVRAM dump (bnc#768714 bnc#855657).

- tg3: Set the MAC clock to the fastest speed during boot
code load (bnc#768714 bnc#855657).

- ALSA: usb-audio: Fix deadlocks at resuming (bnc#884840).

- ALSA: usb-audio: Save mixer status only once at suspend
(bnc#884840).

- ALSA: usb-audio: Resume mixer values properly
(bnc#884840).

See also :

http://lists.opensuse.org/opensuse-updates/2014-08/msg00016.html
https://bugzilla.novell.com/show_bug.cgi?id=768714
https://bugzilla.novell.com/show_bug.cgi?id=851686
https://bugzilla.novell.com/show_bug.cgi?id=855657
https://bugzilla.novell.com/show_bug.cgi?id=866101
https://bugzilla.novell.com/show_bug.cgi?id=867531
https://bugzilla.novell.com/show_bug.cgi?id=867723
https://bugzilla.novell.com/show_bug.cgi?id=879071
https://bugzilla.novell.com/show_bug.cgi?id=880484
https://bugzilla.novell.com/show_bug.cgi?id=882189
https://bugzilla.novell.com/show_bug.cgi?id=883518
https://bugzilla.novell.com/show_bug.cgi?id=883724
https://bugzilla.novell.com/show_bug.cgi?id=883795
https://bugzilla.novell.com/show_bug.cgi?id=884840
https://bugzilla.novell.com/show_bug.cgi?id=885422
https://bugzilla.novell.com/show_bug.cgi?id=885725
https://bugzilla.novell.com/show_bug.cgi?id=886629

Solution :

Update the affected kernel packages.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.3
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now