Security update for the Linux Kernel SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:0714-1 Final 1 1 2015-03-20T12:57:19Z current 2015-03-20T12:57:19Z 2015-03-20T12:57:19Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel The Linux kernel was updated to fix various bugs and security issues. Following security issues were fixed: - CVE-2014-8173: A NULL pointer dereference flaw was found in the way the Linux kernels madvise MADV_WILLNEED functionality handled page table locking. A local, unprivileged user could have used this flaw to crash the system. - CVE-2015-1593: A integer overflow reduced the effectiveness of the stack randomization on 64-bit systems. - CVE-2014-7822: A flaw was found in the way the Linux kernels splice() system call validated its parameters. On certain file systems, a local, unprivileged user could have used this flaw to write past the maximum file size, and thus crash the system. - CVE-2014-9419: The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel did not ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which made it easier for local users to bypass the ASLR protection mechanism via a crafted application that reads a TLS base address. - CVE-2014-8134: The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel used an improper paravirt_enabled setting for KVM guest kernels, which made it easier for guest OS users to bypass the ASLR protection mechanism via a crafted application that reads a 16-bit value. - CVE-2014-8160: net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel generated incorrect conntrack entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols, which allowed remote attackers to bypass intended access restrictions via packets with disallowed port numbers. - CVE-2014-9529: Race condition in the key_gc_unused_keys function in security/keys/gc.c in the Linux kernel allowed local users to cause a denial of service (memory corruption or panic) or possibly have unspecified other impact via keyctl commands that trigger access to a key structure member during garbage collection of a key. - CVE-2014-8559: The d_walk function in fs/dcache.c in the Linux kernel through did not properly maintain the semantics of rename_lock, which allowed local users to cause a denial of service (deadlock and system hang) via a crafted application. - CVE-2014-9420: The rock_continue function in fs/isofs/rock.c in the Linux kernel did not restrict the number of Rock Ridge continuation entries, which allowed local users to cause a denial of service (infinite loop, and system crash or hang) via a crafted iso9660 image. - CVE-2014-9584: The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel did not validate a length value in the Extensions Reference (ER) System Use Field, which allowed local users to obtain sensitive information from kernel memory via a crafted iso9660 image. - CVE-2014-9585: The vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel did not properly choose memory locations for the vDSO area, which made it easier for local users to bypass the ASLR protection mechanism by guessing a location at the end of a PMD. Following bugs were fixed: - HID: usbhid: enable always-poll quirk for Elan Touchscreen 0103 (bnc#920901). - HID: usbhid: enable always-poll quirk for Elan Touchscreen 016f (bnc#920901). - HID: usbhid: enable always-poll quirk for Elan Touchscreen 009b (bnc#920901). - HID: usbhid: add another mouse that needs QUIRK_ALWAYS_POLL (bnc#920901). - HID: usbhid: fix PIXART optical mouse (bnc#920901). - HID: usbhid: enable always-poll quirk for Elan Touchscreen (bnc#920901). - HID: usbhid: add always-poll quirk (bnc#920901). - storvsc: ring buffer failures may result in I/O freeze (bnc#914175). - mm, vmscan: prevent kswapd livelock due to pfmemalloc-throttled process being killed (VM Functionality bnc#910150). - Input: evdev - fix EVIOCG{type} ioctl (bnc#904899). - mnt: Implicitly add MNT_NODEV on remount when it was implicitly added by mount (bsc#907988). - DocBook: Do not exceed argument list limit. - DocBook: Make mandocs parallel-safe. - mm: free compound page with correct order (bnc#913695). - udf: Check component length before reading it. - udf: Check path length when reading symlink. - udf: Verify symlink size before loading it. - udf: Verify i_size when loading inode. - xfs: remote attribute overwrite causes transaction overrun. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00009.html E-Mail link for openSUSE-SU-2015:0714-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings cloop-2.639-11.19.1 cloop-kmp-default-2.639_k3.11.10_29-11.19.1 cloop-kmp-desktop-2.639_k3.11.10_29-11.19.1 cloop-kmp-pae-2.639_k3.11.10_29-11.19.1 cloop-kmp-xen-2.639_k3.11.10_29-11.19.1 crash-7.0.2-2.19.1 crash-devel-7.0.2-2.19.1 crash-doc-7.0.2-2.19.1 crash-eppic-7.0.2-2.19.1 crash-gcore-7.0.2-2.19.1 crash-kmp-default-7.0.2_k3.11.10_29-2.19.1 crash-kmp-desktop-7.0.2_k3.11.10_29-2.19.1 crash-kmp-pae-7.0.2_k3.11.10_29-2.19.1 crash-kmp-xen-7.0.2_k3.11.10_29-2.19.1 hdjmod-1.28-16.19.1 hdjmod-kmp-default-1.28_k3.11.10_29-16.19.1 hdjmod-kmp-desktop-1.28_k3.11.10_29-16.19.1 hdjmod-kmp-pae-1.28_k3.11.10_29-16.19.1 hdjmod-kmp-xen-1.28_k3.11.10_29-16.19.1 ipset-6.21.1-2.23.1 ipset-devel-6.21.1-2.23.1 ipset-kmp-default-6.21.1_k3.11.10_29-2.23.1 ipset-kmp-desktop-6.21.1_k3.11.10_29-2.23.1 ipset-kmp-pae-6.21.1_k3.11.10_29-2.23.1 ipset-kmp-xen-6.21.1_k3.11.10_29-2.23.1 iscsitarget-1.4.20.3-13.19.1 iscsitarget-kmp-default-1.4.20.3_k3.11.10_29-13.19.1 iscsitarget-kmp-desktop-1.4.20.3_k3.11.10_29-13.19.1 iscsitarget-kmp-pae-1.4.20.3_k3.11.10_29-13.19.1 iscsitarget-kmp-xen-1.4.20.3_k3.11.10_29-13.19.1 kernel-debug-3.11.10-29.1 kernel-debug-base-3.11.10-29.1 kernel-debug-devel-3.11.10-29.1 kernel-default-3.11.10-29.1 kernel-default-base-3.11.10-29.1 kernel-default-devel-3.11.10-29.1 kernel-desktop-3.11.10-29.1 kernel-desktop-base-3.11.10-29.1 kernel-desktop-devel-3.11.10-29.1 kernel-devel-3.11.10-29.1 kernel-docs-3.11.10-29.2 kernel-ec2-3.11.10-29.1 kernel-ec2-base-3.11.10-29.1 kernel-ec2-devel-3.11.10-29.1 kernel-pae-3.11.10-29.1 kernel-pae-base-3.11.10-29.1 kernel-pae-devel-3.11.10-29.1 kernel-source-3.11.10-29.1 kernel-source-vanilla-3.11.10-29.1 kernel-syms-3.11.10-29.1 kernel-trace-3.11.10-29.1 kernel-trace-base-3.11.10-29.1 kernel-trace-devel-3.11.10-29.1 kernel-vanilla-3.11.10-29.1 kernel-vanilla-devel-3.11.10-29.1 kernel-xen-3.11.10-29.1 kernel-xen-base-3.11.10-29.1 kernel-xen-devel-3.11.10-29.1 libipset3-6.21.1-2.23.1 ndiswrapper-1.58-19.1 ndiswrapper-kmp-default-1.58_k3.11.10_29-19.1 ndiswrapper-kmp-desktop-1.58_k3.11.10_29-19.1 ndiswrapper-kmp-pae-1.58_k3.11.10_29-19.1 pcfclock-0.44-258.19.1 pcfclock-kmp-default-0.44_k3.11.10_29-258.19.1 pcfclock-kmp-desktop-0.44_k3.11.10_29-258.19.1 pcfclock-kmp-pae-0.44_k3.11.10_29-258.19.1 python-virtualbox-4.2.28-2.28.1 vhba-kmp-20130607-2.20.1 vhba-kmp-default-20130607_k3.11.10_29-2.20.1 vhba-kmp-desktop-20130607_k3.11.10_29-2.20.1 vhba-kmp-pae-20130607_k3.11.10_29-2.20.1 vhba-kmp-xen-20130607_k3.11.10_29-2.20.1 virtualbox-4.2.28-2.28.1 virtualbox-devel-4.2.28-2.28.1 virtualbox-guest-kmp-default-4.2.28_k3.11.10_29-2.28.1 virtualbox-guest-kmp-desktop-4.2.28_k3.11.10_29-2.28.1 virtualbox-guest-kmp-pae-4.2.28_k3.11.10_29-2.28.1 virtualbox-guest-tools-4.2.28-2.28.1 virtualbox-guest-x11-4.2.28-2.28.1 virtualbox-host-kmp-default-4.2.28_k3.11.10_29-2.28.1 virtualbox-host-kmp-desktop-4.2.28_k3.11.10_29-2.28.1 virtualbox-host-kmp-pae-4.2.28_k3.11.10_29-2.28.1 virtualbox-qt-4.2.28-2.28.1 virtualbox-websrv-4.2.28-2.28.1 xen-4.3.3_04-37.1 xen-devel-4.3.3_04-37.1 xen-doc-html-4.3.3_04-37.1 xen-kmp-default-4.3.3_04_k3.11.10_29-37.1 xen-kmp-desktop-4.3.3_04_k3.11.10_29-37.1 xen-kmp-pae-4.3.3_04_k3.11.10_29-37.1 xen-libs-4.3.3_04-37.1 xen-libs-32bit-4.3.3_04-37.1 xen-tools-4.3.3_04-37.1 xen-tools-domU-4.3.3_04-37.1 xen-xend-tools-4.3.3_04-37.1 xtables-addons-2.3-2.19.1 xtables-addons-kmp-default-2.3_k3.11.10_29-2.19.1 xtables-addons-kmp-desktop-2.3_k3.11.10_29-2.19.1 xtables-addons-kmp-pae-2.3_k3.11.10_29-2.19.1 xtables-addons-kmp-xen-2.3_k3.11.10_29-2.19.1 The implementation of certain splice_write file operations in the Linux kernel before 3.16 does not enforce a restriction on the maximum size of a single file, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted splice system call, as demonstrated by use of a file descriptor associated with an ext4 filesystem. CVE-2014-7822 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00009.html https://www.suse.com/security/cve/CVE-2014-7822.html CVE-2014-7822 https://bugzilla.suse.com/915322 SUSE Bug 915322 https://bugzilla.suse.com/915517 SUSE Bug 915517 https://bugzilla.suse.com/939240 SUSE Bug 939240 The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel through 3.18 uses an improper paravirt_enabled setting for KVM guest kernels, which makes it easier for guest OS users to bypass the ASLR protection mechanism via a crafted application that reads a 16-bit value. CVE-2014-8134 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00009.html https://www.suse.com/security/cve/CVE-2014-8134.html CVE-2014-8134 https://bugzilla.suse.com/907818 SUSE Bug 907818 https://bugzilla.suse.com/909077 SUSE Bug 909077 https://bugzilla.suse.com/909078 SUSE Bug 909078 net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols, which allows remote attackers to bypass intended access restrictions via packets with disallowed port numbers. CVE-2014-8160 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00009.html https://www.suse.com/security/cve/CVE-2014-8160.html CVE-2014-8160 https://bugzilla.suse.com/857643 SUSE Bug 857643 https://bugzilla.suse.com/913059 SUSE Bug 913059 The pmd_none_or_trans_huge_or_clear_bad function in include/asm-generic/pgtable.h in the Linux kernel before 3.13 on NUMA systems does not properly determine whether a Page Middle Directory (PMD) entry is a transparent huge-table entry, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted MADV_WILLNEED madvise system call that leverages the absence of a page-table lock. CVE-2014-8173 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00009.html https://www.suse.com/security/cve/CVE-2014-8173.html CVE-2014-8173 https://bugzilla.suse.com/920583 SUSE Bug 920583 The d_walk function in fs/dcache.c in the Linux kernel through 3.17.2 does not properly maintain the semantics of rename_lock, which allows local users to cause a denial of service (deadlock and system hang) via a crafted application. CVE-2014-8559 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00009.html https://www.suse.com/security/cve/CVE-2014-8559.html CVE-2014-8559 https://bugzilla.suse.com/903640 SUSE Bug 903640 https://bugzilla.suse.com/915517 SUSE Bug 915517 The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that reads a TLS base address. CVE-2014-9419 low Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00009.html https://www.suse.com/security/cve/CVE-2014-9419.html CVE-2014-9419 https://bugzilla.suse.com/911326 SUSE Bug 911326 The rock_continue function in fs/isofs/rock.c in the Linux kernel through 3.18.1 does not restrict the number of Rock Ridge continuation entries, which allows local users to cause a denial of service (infinite loop, and system crash or hang) via a crafted iso9660 image. CVE-2014-9420 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00009.html https://www.suse.com/security/cve/CVE-2014-9420.html CVE-2014-9420 https://bugzilla.suse.com/906545 SUSE Bug 906545 https://bugzilla.suse.com/911325 SUSE Bug 911325 Race condition in the key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 3.18.2 allows local users to cause a denial of service (memory corruption or panic) or possibly have unspecified other impact via keyctl commands that trigger access to a key structure member during garbage collection of a key. CVE-2014-9529 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00009.html https://www.suse.com/security/cve/CVE-2014-9529.html CVE-2014-9529 https://bugzilla.suse.com/912202 SUSE Bug 912202 The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel before 3.18.2 does not validate a length value in the Extensions Reference (ER) System Use Field, which allows local users to obtain sensitive information from kernel memory via a crafted iso9660 image. CVE-2014-9584 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00009.html https://www.suse.com/security/cve/CVE-2014-9584.html CVE-2014-9584 https://bugzilla.suse.com/912654 SUSE Bug 912654 The vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel through 3.18.2 does not properly choose memory locations for the vDSO area, which makes it easier for local users to bypass the ASLR protection mechanism by guessing a location at the end of a PMD. CVE-2014-9585 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00009.html https://www.suse.com/security/cve/CVE-2014-9585.html CVE-2014-9585 https://bugzilla.suse.com/912705 SUSE Bug 912705 The stack randomization feature in the Linux kernel before 3.19.1 on 64-bit platforms uses incorrect data types for the results of bitwise left-shift operations, which makes it easier for attackers to bypass the ASLR protection mechanism by predicting the address of the top of the stack, related to the randomize_stack_top function in fs/binfmt_elf.c and the stack_maxrandom_size function in arch/x86/mm/mmap.c. CVE-2015-1593 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00009.html https://www.suse.com/security/cve/CVE-2015-1593.html CVE-2015-1593 https://bugzilla.suse.com/1044934 SUSE Bug 1044934 https://bugzilla.suse.com/917839 SUSE Bug 917839 https://bugzilla.suse.com/942663 SUSE Bug 942663