kernel: security and bugfix update

The Linux kernel was updated to fix security issues and bugs:

Security issues fixed:
CVE-2014-4699: The Linux kernel on Intel processors did not properly
restrict use of a non-canonical value for the saved RIP address in the
case of a system call that does not use IRET, which allowed local users
to leverage a race condition and gain privileges, or cause a denial of
service (double fault), via a crafted application that makes ptrace and
fork system calls.

CVE-2014-4667: The sctp_association_free function in net/sctp/associola.c
in the Linux kernel did not properly manage a certain backlog value,
which allowed remote attackers to cause a denial of service (socket
outage) via a crafted SCTP packet.

CVE-2014-4171: mm/shmem.c in the Linux kernel did not properly implement
the interaction between range notification and hole punching, which
allowed local users to cause a denial of service (i_mutex hold) by using
the mmap system call to access a hole, as demonstrated by interfering
with intended shmem activity by blocking completion of (1) an MADV_REMOVE
madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call.

CVE-2014-4508: arch/x86/kernel/entry_32.S in the Linux kernel on 32-bit
x86 platforms, when syscall auditing is enabled and the sep CPU feature
flag is set, allowed local users to cause a denial of service (OOPS
and system crash) via an invalid syscall number, as demonstrated by
number 1000.

CVE-2014-0100: Race condition in the inet_frag_intern function in
net/ipv4/inet_fragment.c in the Linux kernel allowed remote attackers
to cause a denial of service (use-after-free error) or possibly have
unspecified other impact via a large series of fragmented ICMP Echo
Request packets to a system with a heavy CPU load.

CVE-2014-4656: Multiple integer overflows in sound/core/control.c in
the ALSA control implementation in the Linux kernel allowed local users
to cause a denial of service by leveraging /dev/snd/controlCX access,
related to (1) index values in the snd_ctl_add function and (2) numid
values in the snd_ctl_remove_numid_conflict function.

CVE-2014-4655: The snd_ctl_elem_add function in sound/core/control.c in
the ALSA control implementation in the Linux kernel did not properly
maintain the user_ctl_count value, which allowed local users to
cause a denial of service (integer overflow and limit bypass)
by leveraging /dev/snd/controlCX access for a large number of
SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls.

CVE-2014-4654: The snd_ctl_elem_add function in sound/core/control.c
in the ALSA control implementation in the Linux kernel did not check
authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allowed
local users to remove kernel controls and cause a denial of service
(use-after-free and system crash) by leveraging /dev/snd/controlCX access
for an ioctl call.

CVE-2014-4653: sound/core/control.c in the ALSA control implementation
in the Linux kernel did not ensure possession of a read/write lock,
which allowed local users to cause a denial of service (use-after-free)
and obtain sensitive information from kernel memory by leveraging
/dev/snd/controlCX access.

CVE-2014-4652: Race condition in the tlv handler functionality in the
snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control
implementation in the Linux kernel allowed local users to obtain sensitive
information from kernel memory by leveraging /dev/snd/controlCX access.

CVE-2014-4014: The capabilities implementation in the Linux kernel
did not properly consider that namespaces are inapplicable to inodes,
which allowed local users to bypass intended chmod restrictions by first
creating a user namespace, as demonstrated by setting the setgid bit on
a file with group ownership of root.

CVE-2014-2309: The ip6_route_add function in net/ipv6/route.c in the
Linux kernel did not properly count the addition of routes, which allowed
remote attackers to cause a denial of service (memory consumption)
via a flood of ICMPv6 Router Advertisement packets.

CVE-2014-3917: kernel/auditsc.c in the Linux kernel, when
CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allowed local
users to obtain potentially sensitive single-bit values from kernel memory
or cause a denial of service (OOPS) via a large value of a syscall number.

CVE-2014-0131: Use-after-free vulnerability in the skb_segment function
in net/core/skbuff.c in the Linux kernel allowed attackers to obtain
sensitive information from kernel memory by leveraging the absence of
a certain orphaning operation.

Bugs fixed:
- Don't trigger congestion wait on dirty-but-not-writeout pages
(bnc#879071).

- via-velocity: fix netif_receive_skb use in irq disabled section
(bnc#851686).

- HID: logitech-dj: Fix USB 3.0 issue (bnc#886629).

- tg3: Change nvram command timeout value to 50ms (bnc#768714
bnc#855657).

- tg3: Override clock, link aware and link idle mode during
NVRAM dump (bnc#768714 bnc#855657).

- tg3: Set the MAC clock to the fastest speed during boot code
load (bnc#768714 bnc#855657).

- ALSA: usb-audio: Fix deadlocks at resuming (bnc#884840).
- ALSA: usb-audio: Save mixer status only once at suspend
(bnc#884840).
- ALSA: usb-audio: Resume mixer values properly (bnc#884840).

Fixed bugs
bnc#883795
VUL-0: CVE-2014-4652: kernel: A few ALSA core control API vulnerabilities
bnc#886629
Logitech unified receiver not working on all USB ports of Sony SVS1511C5E notebook
bnc#882189
VUL-0: CVE-2014-4014: kernel: internal function inode_capable was used inappropriately
bnc#851686
via-velocity + kernel 3.11 == system crashes/oopses/hangs at boot
bnc#883724
VUL-0: CVE-2014-4508: kernel: BUG in syscall auditing
bnc#880484
VUL-0: CVE-2014-3917: kernel: audit syscall missing boundary checking
bnc#879071
Stalls during dd on an external USB disk
bnc#885422
VUL-0: CVE-2014-4667: kernel-source: sctp: sk_ack_backlog wrap-around problem
bnc#883518
VUL-0: CVE-2014-4171: kernel: mm/shmem: denial of service
bnc#867723
VUL-1: CVE-2014-0131: kernel: net: skbuff: fix information leak via skb_segment with zero copy skbs
bnc#768714
BUG: soft lockup - CPU#1 stuck for 43s!
bnc#867531
VUL-0: CVE-2014-2309: kernel: ipv6: remote denial of service by overflowing router advertisements
bnc#866101
VUL-0: CVE-2014-0100: kernel: net: remote crash via a race condition in the inet frag code
bnc#884840
PulseAudio default not respected for two digit indexes
bnc#885725
VUL-0: CVE-2014-4699: kernel-source: x86_64 potential ptrace local privilege escalation
bnc#855657
ethtool soft lockups
Selected Binaries
openSUSE Build Service is sponsored by