openSUSE Security Update : the Linux Kernel (openSUSE-2016-1227) (Dirty COW)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

The openSUSE 13.2 kernel was updated to receive various security and
bugfixes.

The following security bugs were fixed :

- CVE-2015-8956: The rfcomm_sock_bind function in
net/bluetooth/rfcomm/sock.c in the Linux kernel allowed
local users to obtain sensitive information or cause a
denial of service (NULL pointer dereference) via vectors
involving a bind system call on a Bluetooth RFCOMM
socket (bnc#1003925).

- CVE-2016-5195: A local privilege escalation using
MAP_PRIVATE was fixed, which is reportedly exploited in
the wild (bsc#1004418).

- CVE-2016-8658: Stack-based buffer overflow in the
brcmf_cfg80211_start_ap function in
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021
1.c in the Linux kernel allowed local users to cause a
denial of service (system crash) or possibly have
unspecified other impact via a long SSID Information
Element in a command to a Netlink socket (bnc#1004462).

- CVE-2016-7117: Use-after-free vulnerability in the
__sys_recvmmsg function in net/socket.c in the Linux
kernel allowed remote attackers to execute arbitrary
code via vectors involving a recvmmsg system call that
is mishandled during error processing (bnc#1003077).

- CVE-2016-0823: The pagemap_open function in
fs/proc/task_mmu.c in the Linux kernel before 3.19.3, as
used in Android 6.0.1 before 2016-03-01, allowed local
users to obtain sensitive physical-address information
by reading a pagemap file, aka Android internal bug
25739721 (bnc#994759).

- CVE-2016-7425: The arcmsr_iop_message_xfer function in
drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did
not restrict a certain length field, which allowed local
users to gain privileges or cause a denial of service
(heap-based buffer overflow) via an
ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).

- CVE-2016-6327: drivers/infiniband/ulp/srpt/ib_srpt.c in
the Linux kernel allowed local users to cause a denial
of service (NULL pointer dereference and system crash)
by using an ABORT_TASK command to abort a device write
operation (bnc#994748).

- CVE-2016-6828: The tcp_check_send_head function in
include/net/tcp.h in the Linux kernel did not properly
maintain certain SACK state after a failed data copy,
which allowed local users to cause a denial of service
(tcp_xmit_retransmit_queue use-after-free and system
crash) via a crafted SACK option (bnc#994296).

- CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel
did not properly determine the rate of challenge ACK
segments, which made it easier for man-in-the-middle
attackers to hijack TCP sessions via a blind in-window
attack (bnc#989152)

- CVE-2016-6480: Race condition in the ioctl_send_fib
function in drivers/scsi/aacraid/commctrl.c in the Linux
kernel allowed local users to cause a denial of service
(out-of-bounds access or system crash) by changing a
certain size value, aka a 'double fetch' vulnerability
(bnc#991608).

- CVE-2015-7513: arch/x86/kvm/x86.c in the Linux kernel
did not reset the PIT counter values during state
restoration, which allowed guest OS users to cause a
denial of service (divide-by-zero error and host OS
crash) via a zero value, related to the
kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions
(bnc#960689).

- CVE-2016-1237: nfsd in the Linux kernel allowed local
users to bypass intended file-permission restrictions by
setting a POSIX ACL, related to nfs2acl.c, nfs3acl.c,
and nfs4acl.c (bnc#986570).

The following non-security bugs were fixed :

- AF_VSOCK: Shrink the area influenced by prepare_to_wait
(bsc#994520).

- xen: Fix refcnt regression in xen netback introduced by
changes made for bug#881008 (bnc#978094)

- MSI-X: fix an error path (luckily none so far).

- usb: fix typo in wMaxPacketSize validation (bsc#991665).

- usb: validate wMaxPacketValue entries in endpoint
descriptors (bnc#991665).

- Update
patches.fixes/0002-nfsd-check-permissions-when-setting-A
CLs.patch (bsc#986570 CVE#2016-1237).

- Update
patches.fixes/0001-posix_acl-Add-set_posix_acl.patch
(bsc#986570 CVE#2016-1237).

- apparmor: fix change_hat not finding hat after policy
replacement (bsc#1000287).

- arm64: Honor __GFP_ZERO in dma allocations
(bsc#1004045).

- arm64: __clear_user: handle exceptions on strb
(bsc#994752).

- arm64: dma-mapping: always clear allocated buffers
(bsc#1004045).

- arm64: perf: reject groups spanning multiple HW PMUs
(bsc#1003931).

- blkfront: fix an error path memory leak (luckily none so
far).

- blktap2: eliminate deadlock potential from shutdown path
(bsc#909994).

- blktap2: eliminate race from deferred work queue
handling (bsc#911687).

- btrfs: ensure that file descriptor used with subvol
ioctls is a dir (bsc#999600).

- cdc-acm: added sanity checking for probe() (bsc#993891).

- kaweth: fix firmware download (bsc#993890).

- kaweth: fix oops upon failed memory allocation
(bsc#993890).

- netback: fix flipping mode (bsc#996664).

- netback: fix flipping mode (bsc#996664).

- netfront: linearize SKBs requiring too many slots
(bsc#991247).

- nfsd: check permissions when setting ACLs (bsc#986570).

- posix_acl: Add set_posix_acl (bsc#986570).

- ppp: defer netns reference release for ppp channel
(bsc#980371).

- tunnels: Do not apply GRO to multiple layers of
encapsulation (bsc#1001486).

- usb: hub: Fix auto-remount of safely removed or ejected
USB-3 devices (bsc#922634).

- x86: suppress lazy MMU updates during vmalloc fault
processing (bsc#951155).

- xen-netback-generalize.patch: Fold back into base patch.

- xen3-patch-2.6.31.patch: Fold back into base patch.

- xen3-patch-3.12.patch: Fold bac into base patch.

- xen3-patch-3.15.patch: Fold back into base patch.

- xen3-patch-3.3.patch: Fold back into base patch.

- xen3-patch-3.9.patch: Fold bac into base patch.

- xen3-patch-3.9.patch: Fold back into base patch.

- xenbus: do not bail early from
xenbus_dev_request_and_reply() (luckily none so far).

- xenbus: inspect the correct type in
xenbus_dev_request_and_reply().

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=1000287
https://bugzilla.opensuse.org/show_bug.cgi?id=1001486
https://bugzilla.opensuse.org/show_bug.cgi?id=1003077
https://bugzilla.opensuse.org/show_bug.cgi?id=1003925
https://bugzilla.opensuse.org/show_bug.cgi?id=1003931
https://bugzilla.opensuse.org/show_bug.cgi?id=1004045
https://bugzilla.opensuse.org/show_bug.cgi?id=1004418
https://bugzilla.opensuse.org/show_bug.cgi?id=1004462
https://bugzilla.opensuse.org/show_bug.cgi?id=881008
https://bugzilla.opensuse.org/show_bug.cgi?id=909994
https://bugzilla.opensuse.org/show_bug.cgi?id=911687
https://bugzilla.opensuse.org/show_bug.cgi?id=922634
https://bugzilla.opensuse.org/show_bug.cgi?id=951155
https://bugzilla.opensuse.org/show_bug.cgi?id=960689
https://bugzilla.opensuse.org/show_bug.cgi?id=978094
https://bugzilla.opensuse.org/show_bug.cgi?id=980371
https://bugzilla.opensuse.org/show_bug.cgi?id=986570
https://bugzilla.opensuse.org/show_bug.cgi?id=989152
https://bugzilla.opensuse.org/show_bug.cgi?id=991247
https://bugzilla.opensuse.org/show_bug.cgi?id=991608
https://bugzilla.opensuse.org/show_bug.cgi?id=991665
https://bugzilla.opensuse.org/show_bug.cgi?id=993890
https://bugzilla.opensuse.org/show_bug.cgi?id=993891
https://bugzilla.opensuse.org/show_bug.cgi?id=994296
https://bugzilla.opensuse.org/show_bug.cgi?id=994520
https://bugzilla.opensuse.org/show_bug.cgi?id=994748
https://bugzilla.opensuse.org/show_bug.cgi?id=994752
https://bugzilla.opensuse.org/show_bug.cgi?id=994759
https://bugzilla.opensuse.org/show_bug.cgi?id=996664
https://bugzilla.opensuse.org/show_bug.cgi?id=999600
https://bugzilla.opensuse.org/show_bug.cgi?id=999932

Solution :

Update the affected the Linux Kernel packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now