SUSE SLES10 Security Update : kernel (SUSE-SU-2015:0812-1)

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

The SUSE Linux Enterprise 10 SP4 LTSS kernel was updated to receive
various security and bugfixes.

The following security bugs have been fixed :

CVE-2015-2041: A information leak in the llc2_timeout_table was fixed
(bnc#919007).

CVE-2014-9322: arch/x86/kernel/entry_64.S in the Linux kernel did not
properly handle faults associated with the Stack Segment (SS) segment
register, which allowed local users to gain privileges by triggering
an IRET instruction that leads to access to a GS Base address from the
wrong space (bnc#910251).

CVE-2014-9090: The do_double_fault function in arch/x86/kernel/traps.c
in the Linux kernel did not properly handle faults associated with the
Stack Segment (SS) segment register, which allowed local users to
cause a denial of service (panic) via a modify_ldt system call, as
demonstrated by sigreturn_32 in the 1-clock-tests test suite
(bnc#907818).

CVE-2014-4667: The sctp_association_free function in
net/sctp/associola.c in the Linux kernel did not properly manage a
certain backlog value, which allowed remote attackers to cause a
denial of service (socket outage) via a crafted SCTP packet
(bnc#885422).

CVE-2014-3673: The SCTP implementation in the Linux kernel allowed
remote attackers to cause a denial of service (system crash) via a
malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and
net/sctp/sm_statefuns.c (bnc#902346).

CVE-2014-3185: Multiple buffer overflows in the
command_port_read_callback function in drivers/usb/serial/whiteheat.c
in the Whiteheat USB Serial Driver in the Linux kernel allowed
physically proximate attackers to execute arbitrary code or cause a
denial of service (memory corruption and system crash) via a crafted
device that provides a large amount of (1) EHCI or (2) XHCI data
associated with a bulk response (bnc#896391).

CVE-2014-3184: The report_fixup functions in the HID subsystem in the
Linux kernel might have allowed physically proximate attackers to
cause a denial of service (out-of-bounds write) via a crafted device
that provides a small report descriptor, related to (1)
drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3)
drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c, (5)
drivers/hid/hid-petalynx.c, and (6) drivers/hid/hid-sunplus.c
(bnc#896390).

CVE-2014-1874: The security_context_to_sid_core function in
security/selinux/ss/services.c in the Linux kernel allowed local users
to cause a denial of service (system crash) by leveraging the
CAP_MAC_ADMIN capability to set a zero-length security context
(bnc#863335).

CVE-2014-0181: The Netlink implementation in the Linux kernel did not
provide a mechanism for authorizing socket operations based on the
opener of a socket, which allowed local users to bypass intended
access restrictions and modify network configurations by using a
Netlink socket for the (1) stdout or (2) stderr of a setuid program
(bnc#875051).

CVE-2013-4299: Interpretation conflict in
drivers/md/dm-snap-persistent.c in the Linux kernel allowed remote
authenticated users to obtain sensitive information or modify data via
a crafted mapping to a snapshot block device (bnc#846404).

CVE-2013-2147: The HP Smart Array controller disk-array driver and
Compaq SMART2 controller disk-array driver in the Linux kernel did not
initialize certain data structures, which allowed local users to
obtain sensitive information from kernel memory via (1) a crafted
IDAGETPCIINFO command for a /dev/ida device, related to the
ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted
CCISS_PASSTHRU32 command for a /dev/cciss device, related to the
cciss_ioctl32_passthru function in drivers/block/cciss.c (bnc#823260).

CVE-2012-6657: The sock_setsockopt function in net/core/sock.c in the
Linux kernel did not ensure that a keepalive action is associated with
a stream socket, which allowed local users to cause a denial of
service (system crash) by leveraging the ability to create a raw
socket (bnc#896779).

CVE-2012-3400: Heap-based buffer overflow in the udf_load_logicalvol
function in fs/udf/super.c in the Linux kernel allowed remote
attackers to cause a denial of service (system crash) or possibly have
unspecified other impact via a crafted UDF filesystem (bnc#769784).

CVE-2012-2319: Multiple buffer overflows in the hfsplus filesystem
implementation in the Linux kernel allowed local users to gain
privileges via a crafted HFS plus filesystem, a related issue to
CVE-2009-4020 (bnc#760902).

CVE-2012-2313: The rio_ioctl function in
drivers/net/ethernet/dlink/dl2k.c in the Linux kernel did not restrict
access to the SIOCSMIIREG command, which allowed local users to write
data to an Ethernet adapter via an ioctl call (bnc#758813).

CVE-2011-4132: The cleanup_journal_tail function in the Journaling
Block Device (JBD) functionality in the Linux kernel 2.6 allowed local
users to cause a denial of service (assertion error and kernel oops)
via an ext3 or ext4 image with an 'invalid log first block value'
(bnc#730118).

CVE-2011-4127: The Linux kernel did not properly restrict SG_IO ioctl
calls, which allowed local users to bypass intended restrictions on
disk read and write operations by sending a SCSI command to (1) a
partition block device or (2) an LVM volume (bnc#738400).

CVE-2011-1585: The cifs_find_smb_ses function in fs/cifs/connect.c in
the Linux kernel did not properly determine the associations between
users and sessions, which allowed local users to bypass CIFS share
authentication by leveraging a mount of a share by a different user
(bnc#687812).

CVE-2011-1494: Integer overflow in the _ctl_do_mpt_command function in
drivers/scsi/mpt2sas/mpt2sas_ctl.c in the Linux kernel might have
allowed local users to gain privileges or cause a denial of service
(memory corruption) via an ioctl call specifying a crafted value that
triggers a heap-based buffer overflow (bnc#685402).

CVE-2011-1495: drivers/scsi/mpt2sas/mpt2sas_ctl.c in the Linux kernel
did not validate (1) length and (2) offset values before performing
memory copy operations, which might allow local users to gain
privileges, cause a denial of service (memory corruption), or obtain
sensitive information from kernel memory via a crafted ioctl call,
related to the _ctl_do_mpt_command and _ctl_diag_read_buffer functions
(bnc#685402).

CVE-2011-1493: Array index error in the rose_parse_national function
in net/rose/rose_subr.c in the Linux kernel allowed remote attackers
to cause a denial of service (heap memory corruption) or possibly have
unspecified other impact by composing FAC_NATIONAL_DIGIS data that
specifies a large number of digipeaters, and then sending this data to
a ROSE socket (bnc#681175).

CVE-2011-4913: The rose_parse_ccitt function in net/rose/rose_subr.c
in the Linux kernel did not validate the FAC_CCITT_DEST_NSAP and
FAC_CCITT_SRC_NSAP fields, which allowed remote attackers to (1) cause
a denial of service (integer underflow, heap memory corruption, and
panic) via a small length value in data sent to a ROSE socket, or (2)
conduct stack-based buffer overflow attacks via a large length value
in data sent to a ROSE socket (bnc#681175).

CVE-2011-4914: The ROSE protocol implementation in the Linux kernel
did not verify that certain data-length values are consistent with the
amount of data sent, which might allow remote attackers to obtain
sensitive information from kernel memory or cause a denial of service
(out-of-bounds read) via crafted data to a ROSE socket (bnc#681175).

CVE-2011-1476: Integer underflow in the Open Sound System (OSS)
subsystem in the Linux kernel on unspecified non-x86 platforms allowed
local users to cause a denial of service (memory corruption) by
leveraging write access to /dev/sequencer (bnc#681999).

CVE-2011-1477: Multiple array index errors in sound/oss/opl3.c in the
Linux kernel allowed local users to cause a denial of service (heap
memory corruption) or possibly gain privileges by leveraging write
access to /dev/sequencer (bnc#681999).

CVE-2011-1163: The osf_partition function in fs/partitions/osf.c in
the Linux kernel did not properly handle an invalid number of
partitions, which might allow local users to obtain potentially
sensitive information from kernel heap memory via vectors related to
partition-table parsing (bnc#679812).

CVE-2011-1090: The __nfs4_proc_set_acl function in fs/nfs/nfs4proc.c
in the Linux kernel stored NFSv4 ACL data in memory that is allocated
by kmalloc but not properly freed, which allowed local users to cause
a denial of service (panic) via a crafted attempt to set an ACL
(bnc#677286).

CVE-2014-9584: The parse_rock_ridge_inode_internal function in
fs/isofs/rock.c in the Linux kernel did not validate a length value in
the Extensions Reference (ER) System Use Field, which allowed local
users to obtain sensitive information from kernel memory via a crafted
iso9660 image (bnc#912654).

CVE-2014-9420: The rock_continue function in fs/isofs/rock.c in the
Linux kernel did not restrict the number of Rock Ridge continuation
entries, which allowed local users to cause a denial of service
(infinite loop, and system crash or hang) via a crafted iso9660 image
(bnc#911325).

CVE-2014-5471: Stack consumption vulnerability in the
parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the
Linux kernel allowed local users to cause a denial of service
(uncontrolled recursion, and system crash or reboot) via a crafted
iso9660 image with a CL entry referring to a directory entry that has
a CL entry (bnc#892490).

CVE-2014-5472: The parse_rock_ridge_inode_internal function in
fs/isofs/rock.c in the Linux kernel allowed local users to cause a
denial of service (unkillable mount process) via a crafted iso9660
image with a self-referential CL entry (bnc#892490).

CVE-2014-3917: kernel/auditsc.c in the Linux kernel, when
CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allowed
local users to obtain potentially sensitive single-bit values from
kernel memory or cause a denial of service (OOPS) via a large value of
a syscall number (bnc#880484).

CVE-2014-4652: Race condition in the tlv handler functionality in the
snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA
control implementation in the Linux kernel allowed local users to
obtain sensitive information from kernel memory by leveraging
/dev/snd/controlCX access (bnc#883795).

CVE-2014-4654: The snd_ctl_elem_add function in sound/core/control.c
in the ALSA control implementation in the Linux kernel did not check
authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allowed
local users to remove kernel controls and cause a denial of service
(use-after-free and system crash) by leveraging /dev/snd/controlCX
access for an ioctl call (bnc#883795).

CVE-2014-4655: The snd_ctl_elem_add function in sound/core/control.c
in the ALSA control implementation in the Linux kernel did not
properly maintain the user_ctl_count value, which allowed local users
to cause a denial of service (integer overflow and limit bypass) by
leveraging /dev/snd/controlCX access for a large number of
SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls (bnc#883795).

CVE-2014-4653: sound/core/control.c in the ALSA control implementation
in the Linux kernel did not ensure possession of a read/write lock,
which allowed local users to cause a denial of service
(use-after-free) and obtain sensitive information from kernel memory
by leveraging /dev/snd/controlCX access (bnc#883795).

CVE-2014-4656: Multiple integer overflows in sound/core/control.c in
the ALSA control implementation in the Linux kernel allowed local
users to cause a denial of service by leveraging /dev/snd/controlCX
access, related to (1) index values in the snd_ctl_add function and
(2) numid values in the snd_ctl_remove_numid_conflict function
(bnc#883795).

The following non-security bugs have been fixed :

usb: class: cdc-acm: Be careful with bInterval (bnc#891844).

Fix BUG due to racing lookups with reiserfs extended attribute backing
directories (bnc#908382).

reiserfs: eliminate per-super xattr lock (bnc#908382).

reiserfs: eliminate private use of struct file in xattr (bnc#908382).

reiserfs: Expand i_mutex to enclose lookup_one_len (bnc#908382).

reiserfs: fix up lockdep warnings (bnc#908382).

reiserfs: fix xattr root locking/refcount bug (bnc#908382).

reiserfs: make per-inode xattr locking more fine grained (bnc#908382).

reiserfs: remove IS_PRIVATE helpers (bnc#908382).

reiserfs: simplify xattr internal file lookups/opens (bnc#908382).

netfilter: TCP conntrack: improve dead connection detection
(bnc#874307).

Fix kABI breakage due to addition of user_ctl_lock (bnc#883795).

isofs: Fix unchecked printing of ER records.

kabi: protect struct ip_ct_tcp for bnc#874307 fix (bnc#874307).

s390: fix system hang on shutdown because of sclp_con (bnc#883223).

udf: Check component length before reading it.

udf: Check path length when reading symlink.

udf: Verify i_size when loading inode.

udf: Verify symlink size before loading it.

x86, 64-bit: Move K8 B step iret fixup to fault entry asm (preparatory
patch).

x86, asm: Flip RESTORE_ARGS arguments logic (preparatory patch).

x86, asm: Thin down SAVE/RESTORE_* asm macros (preparatory patch).

x86: move dwarf2 related macro to dwarf2.h (preparatory patch).

xen: x86, asm: Flip RESTORE_ARGS arguments logic (preparatory patch).

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/677286
https://bugzilla.suse.com/679812
https://bugzilla.suse.com/681175
https://bugzilla.suse.com/681999
https://bugzilla.suse.com/683282
https://bugzilla.suse.com/685402
https://bugzilla.suse.com/687812
https://bugzilla.suse.com/730118
https://bugzilla.suse.com/730200
https://bugzilla.suse.com/738400
https://bugzilla.suse.com/758813
https://bugzilla.suse.com/760902
https://bugzilla.suse.com/769784
https://bugzilla.suse.com/823260
https://bugzilla.suse.com/846404
https://bugzilla.suse.com/853040
https://bugzilla.suse.com/854722
https://bugzilla.suse.com/863335
https://bugzilla.suse.com/874307
https://bugzilla.suse.com/875051
https://bugzilla.suse.com/880484
https://bugzilla.suse.com/883223
https://bugzilla.suse.com/883795
https://bugzilla.suse.com/885422
https://bugzilla.suse.com/891844
https://bugzilla.suse.com/892490
https://bugzilla.suse.com/896390
https://bugzilla.suse.com/896391
https://bugzilla.suse.com/896779
https://bugzilla.suse.com/902346
https://bugzilla.suse.com/907818
https://bugzilla.suse.com/908382
https://bugzilla.suse.com/910251
https://bugzilla.suse.com/911325
http://www.nessus.org/u?0c2a8dc0
http://www.nessus.org/u?bb8d1095
http://www.nessus.org/u?0e08f301
https://www.suse.com/security/cve/CVE-2011-1090.html
https://www.suse.com/security/cve/CVE-2011-1163.html
https://www.suse.com/security/cve/CVE-2011-1476.html
https://www.suse.com/security/cve/CVE-2011-1477.html
https://www.suse.com/security/cve/CVE-2011-1493.html
https://www.suse.com/security/cve/CVE-2011-1494.html
https://www.suse.com/security/cve/CVE-2011-1495.html
https://www.suse.com/security/cve/CVE-2011-1585.html
https://www.suse.com/security/cve/CVE-2011-4127.html
https://www.suse.com/security/cve/CVE-2011-4132.html
https://www.suse.com/security/cve/CVE-2011-4913.html
https://www.suse.com/security/cve/CVE-2011-4914.html
https://www.suse.com/security/cve/CVE-2012-2313.html
https://www.suse.com/security/cve/CVE-2012-2319.html
https://www.suse.com/security/cve/CVE-2012-3400.html
https://www.suse.com/security/cve/CVE-2012-6657.html
https://www.suse.com/security/cve/CVE-2013-2147.html
https://www.suse.com/security/cve/CVE-2013-4299.html
https://www.suse.com/security/cve/CVE-2013-6405.html
https://www.suse.com/security/cve/CVE-2013-6463.html
https://www.suse.com/security/cve/CVE-2014-0181.html
https://www.suse.com/security/cve/CVE-2014-1874.html
https://www.suse.com/security/cve/CVE-2014-3184.html
https://www.suse.com/security/cve/CVE-2014-3185.html
https://www.suse.com/security/cve/CVE-2014-3673.html
https://www.suse.com/security/cve/CVE-2014-3917.html
https://www.suse.com/security/cve/CVE-2014-4652.html
https://www.suse.com/security/cve/CVE-2014-4653.html
https://www.suse.com/security/cve/CVE-2014-4654.html
https://www.suse.com/security/cve/CVE-2014-4655.html
https://www.suse.com/security/cve/CVE-2014-4656.html
https://www.suse.com/security/cve/CVE-2014-4667.html
https://www.suse.com/security/cve/CVE-2014-5471.html
https://www.suse.com/security/cve/CVE-2014-5472.html
https://www.suse.com/security/cve/CVE-2014-9090.html
https://www.suse.com/security/cve/CVE-2014-9322.html
https://www.suse.com/security/cve/CVE-2014-9420.html
https://www.suse.com/security/cve/CVE-2014-9584.html
https://www.suse.com/security/cve/CVE-2015-2041.html
http://www.nessus.org/u?0e1e8d12

Solution :

Update the affected kernel packages

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 6.8
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false