SUSE-SU-2017:0333-1

The SUSE Linux Enterprise 11 SP2 LTSS kernel was updated to receive various security and bugfixes.

This is the last planned LTSS kernel update for the SUSE Linux Enterprise Server 11 SP2 LTSS.

The following security bugs were fixed:

• CVE-2016-10088: The sg implementation in the Linux kernel did not properly restrict write operations in situations where the KERNEL_DS option is set, which allowed local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576 (bnc#1017710).
• CVE-2004-0230: TCP, when using a large Window Size, made it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP (bnc#969340).
• CVE-2016-8632: The tipcmsgbuild function in net/tipc/msg.c in the Linux kernel did not validate the relationship between the minimum fragment length and the maximum packet size, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAPNETADMIN capability (bnc#1008831).
• CVE-2016-8399: An out of bounds read in the ping protocol handler could have lead to information disclosure (bsc#1014746).
• CVE-2016-9793: The socksetsockopt function in net/core/sock.c in the Linux kernel mishandled negative values of sksndbuf and skrcvbuf, which allowed local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAPNETADMIN capability for a crafted setsockopt system call with the (1) SOSNDBUFFORCE or (2) SO_RCVBUFFORCE option (bnc#1013531).
• CVE-2012-6704: The socksetsockopt function in net/core/sock.c in the Linux kernel mishandled negative values of sksndbuf and skrcvbuf, which allowed local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAPNETADMIN capability for a crafted setsockopt system call with the (1) SOSNDBUF or (2) SO_RCVBUF option (bnc#1013542).
• CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux kernel did not properly initialize Code Segment (CS) in certain error cases, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application (bnc#1013038).
• CVE-2016-3841: The IPv6 stack in the Linux kernel mishandled options data, which allowed local users to gain privileges or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call (bnc#992566).
• CVE-2016-9685: Multiple memory leaks in error paths in fs/xfs/xfsattrlist.c in the Linux kernel allowed local users to cause a denial of service (memory consumption) via crafted XFS filesystem operations (bnc#1012832).
• CVE-2015-1350: The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr operations that underspecified removing extended privilege attributes, which allowed local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program (bnc#914939).
• CVE-2015-8962: Double free vulnerability in the sgcommonwrite function in drivers/scsi/sg.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption and system crash) by detaching a device during an SG_IO ioctl call (bnc#1010501).
• CVE-2016-9555: The sctpsfootb function in net/sctp/sm_statefuns.c in the Linux kernel lacked chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bnc#1011685).
• CVE-2016-7910: Use-after-free vulnerability in the diskseqfstop function in block/genhd.c in the Linux kernel allowed local users to gain privileges by leveraging the execution of a certain stop operation even if the corresponding start operation had failed (bnc#1010716).
• CVE-2016-7911: Race condition in the gettaskioprio function in block/ioprio.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted ioprio_get system call (bnc#1010711).
• CVE-2015-8964: The ttysettermiosldisc function in drivers/tty/ttyldisc.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by reading a tty data structure (bnc#1010507).
• CVE-2016-7916: Race condition in the environ_read function in fs/proc/base.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by reading a /proc/*/environ file during a process-setup time interval in which environment-variable copying is incomplete (bnc#1010467).
• CVE-2016-8646: The hashaccept function in crypto/algifhash.c in the Linux kernel allowed local users to cause a denial of service (OOPS) by attempting to trigger use of in-kernel hash algorithms for a socket that has received zero bytes of data (bnc#1010150).
• CVE-2016-8633: drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual hardware configurations, allowed remote attackers to execute arbitrary code via crafted fragmented packets (bnc#1008833).
• CVE-2016-7042: The prockeysshow function in security/keys/proc.c in the Linux kernel used an incorrect buffer size for certain timeout data, which allowed local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file (bnc#1004517).
• CVE-2016-7097: The filesystem implementation in the Linux kernel preserves the setgid bit during a setxattr call, which allowed local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions (bnc#995968).
• CVE-2017-5551: The filesystem implementation in the Linux kernel preserves the setgid bit during a setxattr call, which allowed local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. This CVE tracks the fix for the tmpfs filesystem. (bsc#1021258).
• CVE-2015-8956: The rfcommsockbind function in net/bluetooth/rfcomm/sock.c in the Linux kernel allowed local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket (bnc#1003925).
• CVE-2016-7117: Use-after-free vulnerability in the _sysrecvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bnc#1003077).
• CVE-2016-0823: The pagemapopen function in fs/proc/taskmmu.c in the Linux kernel allowed local users to obtain sensitive physical-address information by reading a pagemap file, aka Android internal bug 25739721 (bnc#994759).
• CVE-2016-7425: The arcmsriopmessagexfer function in drivers/scsi/arcmsr/arcmsrhba.c in the Linux kernel did not restrict a certain length field, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSRMESSAGEWRITE_WQBUFFER control code (bnc#999932).
• CVE-2016-6828: The tcpchecksendhead function in include/net/tcp.h in the Linux kernel did not properly maintain certain SACK state after a failed data copy, which allowed local users to cause a denial of service (tcpxmitretransmitqueue use-after-free and system crash) via a crafted SACK option (bnc#994296).
• CVE-2016-6480: Race condition in the ioctlsendfib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a 'double fetch' vulnerability (bnc#991608).
• CVE-2016-4998: The IPTSOSET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (bsc#986365).
• CVE-2015-7513: arch/x86/kvm/x86.c in the Linux kernel did not reset the PIT counter values during state restoration, which allowed guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via a zero value, related to the kvmvmioctlsetpit and kvmvmioctlsetpit2 functions (bnc#960689).
• CVE-2013-4312: The Linux kernel allowed local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to net/unix/af_unix.c and net/unix/garbage.c (bnc#839104).
• CVE-2016-4997: The compat IPTSOSETREPLACE and IP6TSOSETREPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bnc#986362).
• CVE-2016-5829: Multiple heap-based buffer overflows in the hiddevioctlusage function in drivers/hid/usbhid/hiddev.c in the Linux kernel allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call (bnc#986572).
• CVE-2016-4470: The keyrejectand_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bnc#984755).
• CVE-2016-5244: The rdsincinfo_copy function in net/rds/recv.c in the Linux kernel did not initialize a certain structure member, which allowed remote attackers to obtain sensitive information from kernel stack memory by reading an RDS message (bnc#983213).
• CVE-2016-1583: The ecryptfsprivilegedopen function in fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling (bnc#983143).
• CVE-2016-4913: The getrockridge_filename function in fs/isofs/rock.c in the Linux kernel mishandled NM (aka alternate name) entries containing \0 characters, which allowed local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem (bnc#980725).
• CVE-2016-4580: The x25negotiatefacilities function in net/x25/x25_facilities.c in the Linux kernel did not properly initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request (bnc#981267).
• CVE-2016-4805: Use-after-free vulnerability in drivers/net/ppp/pppgeneric.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the pppregisternetchannel and pppunregisterchannel functions (bnc#980371).
• CVE-2015-7833: The usbvision driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (panic) via a nonzero bInterfaceNumber value in a USB device descriptor (bnc#950998).
• CVE-2016-2187: The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971944).
• CVE-2016-4482: The procconnectinfo function in drivers/usb/core/devio.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFSCONNECTINFO ioctl call (bnc#978401).
• CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relies on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bnc#979548).
• CVE-2016-4485: The llccmsgrcv function in net/llc/af_llc.c in the Linux kernel did not initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory by reading a message (bnc#978821).
• CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize certain r1 data structures, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) sndtimeruserccallback and (2) sndtimerusertinterrupt functions (bnc#979879).
• CVE-2016-4569: The sndtimeruser_params function in sound/core/timer.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface (bnc#979213).

The following non-security bugs were fixed:

• arch/powerpc: Remove duplicate/redundant Altivec entries (bsc#967716).
• cdc-acm: added sanity checking for probe() (bsc#993891).
• cgroups: do not attach task to subsystem if migration failed (bnc#979274).
• cgroups: more safe tasklist locking in cgroupattachproc (bnc#979274).
• dasd: fix hanging system after LCU changes (bnc#968500, LTC#136671).
• dasd: Fix unresumed device after suspend/resume (bnc#927287, LTC#123892).
• ipv4/fib: do not warn when primary address is missing if in_dev is dead (bsc#971360).
• kabi, unix: properly account for FDs passed over unix sockets (bnc#839104).
• kaweth: fix firmware download (bsc#993890).
• kaweth: fix oops upon failed memory allocation (bsc#993890).
• kvm: x86: SYSENTER emulation is broken (bsc#994618).
• mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED (VM Functionality, bnc#986445).
• mremap: enforce rmap src/dst vma ordering in case of vmamerge() succeeding in copyvma() (VM Functionality, bsc#1008645).
• nfs4: reset states to use open_stateid when returning delegation voluntarily (bsc#1007944).
• nfs: Do not disconnect open-owner on NFS4ERRBADSEQID (bsc#989261, bsc#1011482).
• nfs: do not do blind ddrop() in nfsprime_dcache() (bnc#908069 bnc#896484 bsc#963053).
• nfsprimedcache needs fh to be set (bnc#908069 bnc#896484 bsc#963053).
• nfs: Refresh open-owner id when server says SEQID is bad (bsc#989261).
• nfsv4: Ensure that we do not drop a state owner more than once (bsc#979595).
• nfsv4: fix broken patch relating to v4 read delegations (bsc#956514, bsc#989261, bsc#979595, bsc#1011482).
• nfsv4: nfs4procrenew should be declared static (bnc#863873).
• nfsv4: OPEN must handle the NFS4ERR_IO return code correctly (bsc#979595).
• nfsv4: Recovery of recalled read delegations is broken (bsc#956514 bsc#1011482).
• nfsv4: The NFSv4.0 client must send RENEW calls if it holds a delegation (bnc#863873).
• powerpc: Add ability to build little endian kernels (bsc#967716).
• powerpc: Avoid load of static chain register when calling nested functions through a pointer on 64bit (bsc#967716).
• powerpc: Do not build assembly files with ABIv2 (bsc#967716).
• powerpc: Do not use ELFv2 ABI to build the kernel (bsc#967716).
• powerpc: dtc is required to build dtb files (bsc#967716).
• powerpc: Fix 64 bit builds with binutils 2.24 (bsc#967716).
• powerpc: Fix error when cross building TAGS & cscope (bsc#967716).
• powerpc: Make the vdso32 also build big-endian (bsc#967716).
• powerpc: Remove altivec fix for gcc versions before 4.0 (bsc#967716).
• powerpc: Remove buggy 9-year-old test for binutils < 2.12.1 (bsc#967716).
• powerpc: Require gcc 4.0 on 64-bit (bsc#967716).
• ppp: defer netns reference release for ppp channel (bsc#980371).
• qeth: delete napi struct when removing a qeth device (bnc#979915, LTC#143590).
• qeth: Fix crash on initial MTU size change (bnc#835175, LTC#96809).
• qeth: postpone freeing of qdio memory (bnc#874145, LTC#107873).
• rpm/kernel-binary.spec.in: Export a make-stderr.log file (bsc#1012422)
• Revert 's390/mm: fix asce_bits handling with dynamic pagetable levels' This reverts commit 6e00b1d803fa2ab4b130e04b7fbcc99f0b5ecba8.
• rpm/config.sh: Set the release string to 0.7.<RELEASE> (bsc#997059)
• rpm/mkspec: Read a default release string from rpm/config.sh (bsc997059)
• s390/dasd: fix failfast for disconnected devices (bnc#958000, LTC#135138).
• s390/dasd: fix hanging device after clear subchannel (bnc#994436, LTC#144640).
• s390/dasd: fix kernel panic when alias is set offline (bnc#940966, LTC#128595).
• s390/dasd: fix list_del corruption after lcu changes (bnc#954984, LTC#133077).
• s390/mm: fix asce_bits handling with dynamic pagetable levels (bnc#979915, LTC#141456). Conflicts: series.conf
• s390/pageattr: do a single TLB flush for changepageattr (bsc#1009443,LTC#148182).
• Set CONFIGDEBUGINFO=y and CONFIGDEBUGINFOREDUCED=n on all platforms The specfile adjusts the config if necessary, but a new version of runoldconfig.sh requires the settings to be present in the repository.
• usb: fix typo in wMaxPacketSize validation (bsc#991665).
• usb: validate wMaxPacketValue entries in endpoint descriptors (bnc#991665).