Description
The SUSE Linux Enterprise 12 kernel was updated to 3.12.60 to receive
various security and bugfixes.
The following security bugs were fixed:
- CVE-2014-9717: fs/namespace.c in Linux Kernel processes MNT_DETACH
umount2 system called without verifying that the MNT_LOCKED flag is
unset, which allowed local users to bypass intended access restrictions
and navigate to filesystem locations beneath a mount by calling umount2
within a user namespace (bnc#928547).
- CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in
Linux Kernel did not properly maintain a hub-interface data
structure, which allowed physically proximate attackers to cause a
denial of service (invalid memory access and system crash) or possibly
have unspecified other impact by unplugging a USB hub device
(bnc#968010).
- CVE-2015-8845: The tm_reclaim_thread function in
arch/powerpc/kernel/process.c in Linux Kernel on powerpc platforms
did not ensure that TM suspend mode exists before proceeding with a
tm_reclaim call, which allowed local users to cause a denial of service
(TM Bad Thing exception and panic) via a crafted application
(bnc#975533).
- CVE-2016-0758: Fix ASN.1 indefinite length object parsing (bsc#979867).
- CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in
Linux Kernel allowed attackers to cause a denial of service (panic)
via an ASN.1 BER file that lacks a public key, leading to mishandling by
the public_key_verify_signature function in
crypto/asymmetric_keys/public_key.c (bnc#963762).
- CVE-2016-2143: The fork implementation in Linux Kernel on s390
platforms mishandled the case of four page-table levels, which allowed
local users to cause a denial of service (system crash) or possibly have
unspecified other impact via a crafted application, related to
arch/s390/include/asm/mmu_context.h and arch/s390/include/asm/pgalloc.h.
(bnc#970504)
- CVE-2016-2184: The create_fixed_stream_quirk function in
sound/usb/quirks.c in the snd-usb-audio driver in Linux Kernel
allowed physically proximate attackers to cause a denial of service
(NULL pointer dereference or double free, and system crash) via a
crafted endpoints value in a USB device descriptor (bnc#971125).
- CVE-2016-2185: The ati_remote2_probe function in
drivers/input/misc/ati_remote2.c in Linux Kernel allowed physically
proximate attackers to cause a denial of service (NULL pointer
dereference and system crash) via a crafted endpoints value in a USB
device descriptor (bnc#971124).
- CVE-2016-2186: The powermate_probe function in
drivers/input/misc/powermate.c in Linux Kernel allowed physically
proximate attackers to cause a denial of service (NULL pointer
dereference and system crash) via a crafted endpoints value in a USB
device descriptor (bnc#970958).
- CVE-2016-2188: The iowarrior_probe function in
drivers/usb/misc/iowarrior.c in Linux Kernel allowed physically
proximate attackers to cause a denial of service (NULL pointer
dereference and system crash) via a crafted endpoints value in a USB
device descriptor (bnc#970956).
- CVE-2016-2782: The treo_attach function in drivers/usb/serial/visor.c in
Linux Kernel allowed physically proximate attackers to cause a
denial of service (NULL pointer dereference and system crash) or
possibly have unspecified other impact by inserting a USB device that
lacks a (1) bulk-in or (2) interrupt-in endpoint (bnc#968670).
- CVE-2016-2847: fs/pipe.c in Linux Kernel did not limit the amount of
unread data in pipes, which allowed local users to cause a denial of
service (memory consumption) by creating many pipes with non-default
sizes (bnc#970948).
- CVE-2016-3134: The netfilter subsystem in Linux Kernel did not
validate certain offset fields, which allowed local users to gain
privileges or cause a denial of service (heap memory corruption) via an
IPT_SO_SET_REPLACE setsockopt call (bnc#971126).
- CVE-2016-3136: The mct_u232_msr_to_state function in
drivers/usb/serial/mct_u232.c in Linux Kernel allowed physically
proximate attackers to cause a denial of service (NULL pointer
dereference and system crash) via a crafted USB device without two
interrupt-in endpoint descriptors (bnc#970955).
- CVE-2016-3137: drivers/usb/serial/cypress_m8.c in Linux Kernel
allowed physically proximate attackers to cause a denial of service
(NULL pointer dereference and system crash) via a USB device without
both an interrupt-in and an interrupt-out endpoint descriptor, related
to the cypress_generic_port_probe and cypress_open functions
(bnc#970970).
- CVE-2016-3138: The acm_probe function in drivers/usb/class/cdc-acm.c in
Linux Kernel allowed physically proximate attackers to cause a
denial of service (NULL pointer dereference and system crash) via a USB
device without both a control and a data endpoint descriptor
(bnc#970911).
- CVE-2016-3139: The wacom_probe function in
drivers/input/tablet/wacom_sys.c in Linux Kernel allowed physically
proximate attackers to cause a denial of service (NULL pointer
dereference and system crash) via a crafted endpoints value in a USB
device descriptor (bnc#970909).
- CVE-2016-3140: The digi_port_init function in
drivers/usb/serial/digi_acceleport.c in Linux Kernel allowed
physically proximate attackers to cause a denial of service (NULL
pointer dereference and system crash) via a crafted endpoints value in a
USB device descriptor (bnc#970892).
- CVE-2016-3156: The IPv4 implementation in Linux Kernel mishandled
destruction of device objects, which allowed guest OS users to cause a
denial of service (host OS networking outage) by arranging for a large
number of IP addresses (bnc#971360).
- CVE-2016-3672: The arch_pick_mmap_layout function in arch/x86/mm/mmap.c
in Linux Kernel did not properly randomize the legacy base address,
which made it easier for local users to defeat the intended restrictions
on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism
for a setuid or setgid program, by disabling stack-consumption resource
limits (bnc#974308).
- CVE-2016-3689: The ims_pcu_parse_cdc_data function in
drivers/input/misc/ims-pcu.c in Linux Kernel allowed physically
proximate attackers to cause a denial of service (system crash) via a
USB device without both a master and a slave interface (bnc#971628).
- CVE-2016-3951: Double free vulnerability in drivers/net/usb/cdc_ncm.c in
Linux Kernel allowed physically proximate attackers to cause a
denial of service (system crash) or possibly have unspecified other
impact by inserting a USB device with an invalid USB descriptor
(bnc#974418).
- CVE-2016-4482: The proc_connectinfo function in drivers/usb/core/devio.c
in Linux Kernel did not initialize a certain data structure, which
allowed local users to obtain sensitive information from kernel stack
memory via a crafted USBDEVFS_CONNECTINFO ioctl call (bnc#978401).
- CVE-2016-4486: The rtnl_fill_link_ifmap function in net/core/rtnetlink.c
in Linux Kernel did not initialize a certain data structure, which
allowed local users to obtain sensitive information from kernel stack
memory by reading a Netlink message (bnc#978822).
- CVE-2016-4565: The InfiniBand (aka IB) stack in Linux Kernel
incorrectly relied on the write system call, which allowed local users
to cause a denial of service (kernel memory write operation) or possibly
have unspecified other impact via a uAPI interface (bnc#979548).
- CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c
in Linux Kernel did not initialize a certain data structure, which
allowed local users to obtain sensitive information from kernel stack
memory via crafted use of the ALSA timer interface (bnc#979213).
- CVE-2016-4578: sound/core/timer.c in Linux Kernel did not initialize
certain r1 data structures, which allowed local users to obtain
sensitive information from kernel stack memory via crafted use of the
ALSA timer interface, related to the (1) snd_timer_user_ccallback and
(2) snd_timer_user_tinterrupt functions (bnc#979879).
- CVE-2016-4805: Use-after-free vulnerability in
drivers/net/ppp/ppp_generic.c in Linux Kernel allowed local users to
cause a denial of service (memory corruption and system crash, or
spinlock) or possibly have unspecified other impact by removing a
network namespace, related to the ppp_register_net_channel and
ppp_unregister_channel functions (bnc#980371).
- CVE-2016-5244: Fixed an infoleak in rds_inc_info_copy (bsc#983213).