Wiki » Support/Advisories/MGASA-2013-0151

MGASA-2013-0151

Date:	May 17th, 2013
Affected releases:	2
Media:	Core

Description:
This updates kernel-vserver to upstream stable 3.4.45.

It also fixes the following security issues:

A security flaw was found in the way "/dev/ptmx", a character device used
to create a pseudo-terminal master (PTM) and slave (PTS) pair, of the
Linux kernel, used to transmit data through the PTM when a keystroke was
pressed. An unprivileged, local user could use this flaw to determine
inter-keystroke timing (measure latency between keystrokes), possibly
allowing them to determine effective length of an password being typed in.
(CVE-2013-0160)

A flaw was found in the way the vhost kernel module handled descriptors
that spanned multiple regions. A privileged guest user in a KVM guest
could use this flaw to crash the host or, potentially, escalate their
privileges on the host. (CVE-2013-0311)

An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way the Intel i915 driver in the Linux kernel handled the
allocation of the buffer used for relocation copies. A local user with
console access could use this flaw to cause a denial of service or
escalate their privileges. (CVE-2013-0913)

The flush_signal_handlers function in kernel/signal.c in the Linux kernel
before 3.8.4 preserves the value of the sa_restorer field across an exec
operation, which makes it easier for local users to bypass the ASLR
protection mechanism via a crafted application containing a sigaction
system call. (CVE-2013-0914)

A NULL pointer dereference was found in the Linux kernel's USB Inside
Out Edgeport Serial Driver implementation. An attacker with physical
access to a system could use this flaw to cause a denial of service.
(CVE-2013-1774)

A race condition in install_user_keyrings(), leading to a NULL pointer
dereference, was found in the key management facility. A local,
unprivileged user could use this flaw to cause a denial of service.
(CVE-2013-1792)

A flaw was found in the way KVM handled guest time updates when the
buffer the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine
state register (MSR) crossed a page boundary. A privileged guest user
could use this flaw to crash the host or, potentially, escalate their
privileges, allowing them to execute arbitrary code at the host kernel
level. (CVE-2013-1796)

A potential use-after-free flaw was found in the way KVM handled guest
time updates when the GPA (guest physical address) the guest registered
by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) fell
into a movable or removable memory region of the hosting user-space
process (by default, QEMU-KVM) on the host. If that memory region is
deregistered from KVM using KVM_SET_USER_MEMORY_REGION and the allocated
virtual memory reused, a privileged guest user could potentially use this
flaw to escalate their privileges on the host. (CVE-2013-1797)

A flaw was found in the way KVM emulated IOAPIC (I/O Advanced
Programmable Interrupt Controller). A missing validation check in the
ioapic_read_indirect() function could allow a privileged guest user to
crash the host, or read a substantial portion of host kernel memory.
(CVE-2013-1798)

fs/ext3/super.c in the Linux kernel before 3.8.4 uses incorrect arguments
to functions in certain circumstances related to printk input, which
allows local users to conduct format-string attacks and possibly gain
privileges via a crafted application. (CVE-2013-1848)

Heap-based buffer overflow in the wdm_in_callback function in
drivers/usb/class/cdc-wdm.c in the Linux kernel before 3.8.4 allows
physically proximate attackers to cause a denial of service (system crash)
or possibly execute arbitrary code via a crafted cdc-wdm USB device.
(CVE-2013-1860)

The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linux
kernel before 3.6.5 on unspecified architectures lacks a certain error
check, which might allow local users to obtain sensitive information from
kernel stack memory via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a
/dev/dvb device. (CVE-2013-1928)

Linux kernel built with the Broadcom tg3 ethernet driver is vulnerable
to a buffer overflow. This could occur when the tg3 driver reads and
copies firmware string from hardware's product data(VPD), if it exceeds
32 characters. A user with physical access to a machine could use this
flaw to crash the system or, potentially, escalate their privileges on
the system. (CVE-2013-1929)

The scm_set_cred function in include/net/scm.h in the Linux kernel before
3.8.11 uses incorrect uid and gid values during credentials passing, which
allows local users to gain privileges via a crafted application.
(CVE-2013-1979)

The perf_swevent_init function in kernel/events/core.c in the Linux kernel
before 3.8.9 uses an incorrect integer data type, which allows local users
to gain privileges via a crafted perf_event_open system call.
(CVE-2013-2094)

The report API in the crypto user configuration API in the Linux kernel
through 3.8.2 uses an incorrect C library function for copying strings,
which allows local users to obtain sensitive information from kernel
stack memory by leveraging the CAP_NET_ADMIN capability. (CVE-2013-2546)

The crypto_report_one function in crypto/crypto_user.c in the reportAPI
in the crypto user configuration API in the Linux kernel through 3.8.2
does not initialize certain structure members, which allows local users
to obtain sensitive information from kernel heap memory by leveraging
the CAP_NET_ADMIN capability. (CVE-2013-2547)

The crypto_report_one function in crypto/crypto_user.c in the report API
in the crypto user configuration API in the Linux kernel through 3.8.2
uses an incorrect length value during a copy operation, whichallows local
users to obtain sensitive information from kernel memory by leveraging
the CAP_NET_ADMIN capability. (CVE-2013-2548)

net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize
certain structures, which allows local users to obtain sensitive
information from kernel stack memory via a crafted application.
(CVE-2013-2634)

The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux kernel
before 3.8.4 does not initialize a certain structure member, which allows
local users to obtain sensitive information from kernel stack memory via
a crafted application. (CVE-2013-2635)

net/bridge/br_mdb.c in the Linux kernel before 3.8.4 does not initialize
certain structures, which allows local users to obtain sensitive
information from kernel memory via a crafted application. (CVE-2013-2636)

The crypto API in the Linux kernel through 3.9-rc8 does not initialize
certain length variables, which allows local users to obtain sensitive
information from kernel stack memory via a crafted recvmsg or recvfrom
system call, related to the hash_recvmsg function in crypto/algif_hash.c
and the skcipher_recvmsg function in crypto/algif_skcipher.c.
(CVE-2013-3076)

The vcc_recvmsg function in net/atm/common.c in the Linux kernel before
3.9-rc7 does not initialize a certain length variable, which allows local
users to obtain sensitive information from kernel stack memory via a
crafted recvmsg or recvfrom system call. (CVE-2013-3222)

The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel before
3.9-rc7 does not initialize a certain data structure, which allows local
users to obtain sensitive information from kernel stack memory via a
crafted recvmsg or recvfrom system call. (CVE-2013-3223)

The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux
kernel before 3.9-rc7 does not properly initialize a certain length
variable, which allows local users to obtain sensitive information from
kernel stack memory via a crafted recvmsg or recvfrom system call.
(CVE-2013-3224)

The rfcomm_sock_recvmsg function in net/bluetooth/rfcomm/sock.c in the
Linux kernel before 3.9-rc7 does not initialize a certain length variable,
which allows local users to obtain sensitive information from kernel stack
memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3225)

The caif_seqpkt_recvmsg function in net/caif/caif_socket.c in the Linux
kernel before 3.9-rc7 does not initialize a certain length variable, which
allows local users to obtain sensitive information from kernel stack
memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3227)

The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel
before 3.9-rc7 does not initialize a certain length variable, which allows
local users to obtain sensitive information from kernel stack memory via
a crafted recvmsg or recvfrom system call. (CVE-2013-3228)

The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel
before 3.9-rc7 does not initialize a certain length variable, which allows
local users to obtain sensitive information from kernel stack memory via
a crafted recvmsg or recvfrom system call. (CVE-2013-3229)

The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel before
3.9-rc7 does not initialize a certain length variable, which allows local
users to obtain sensitive information from kernel stack memory via a
crafted recvmsg or recvfrom system call. (CVE-2013-3231)

The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel
before 3.9-rc7 does not initialize a certain data structure, which allows
local users to obtain sensitive information from kernel stack memory via
a crafted recvmsg or recvfrom system call. (CVE-2013-3232)

The llcp_sock_recvmsg function in net/nfc/llcp/sock.c in the Linux kernel
before 3.9-rc7 does not initialize a certain length variable and a certain
data structure, which allows local users to obtain sensitive information
from kernel stack memory via a crafted recvmsg or recvfrom system call.
(CVE-2013-3233)

The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel before
3.9-rc7 does not initialize a certain data structure, which allows local
users to obtain sensitive information from kernel stack memory via a
crafted recvmsg or recvfrom system call. (CVE-2013-3234)

net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not initialize
a certain data structure and a certain length variable, which allows local
users to obtain sensitive information from kernel stack memory via a
crafted recvmsg or recvfrom system call. (CVE-2013-3235)

Other changes:
Atheros alx gigabit ethernet is to latest upstream to support more hw,
including Atheros Killer e2200 ethernet (mga #9979)

For other changes in the -stable kernels, see the referenced changelogs.

Updated Packages:
i586:
kernel-vserver-3.4.45-1.mga2-1-1.mga2.i586.rpm
kernel-vserver-devel-3.4.45-1.mga2-1-1.mga2.i586.rpm
kernel-vserver-devel-latest-3.4.45-1.mga2.i586.rpm
kernel-vserver-doc-3.4.45-1.mga2.noarch.rpm
kernel-vserver-latest-3.4.45-1.mga2.i586.rpm
kernel-vserver-source-3.4.45-1.mga2-1-1.mga2.noarch.rpm
kernel-vserver-source-latest-3.4.45-1.mga2.noarch.rpm

x86_64:
kernel-vserver-3.4.45-1.mga2-1-1.mga2.x86_64.rpm
kernel-vserver-devel-3.4.45-1.mga2-1-1.mga2.x86_64.rpm
kernel-vserver-devel-latest-3.4.45-1.mga2.x86_64.rpm
kernel-vserver-doc-3.4.45-1.mga2.noarch.rpm
kernel-vserver-latest-3.4.45-1.mga2.x86_64.rpm
kernel-vserver-source-3.4.45-1.mga2-1-1.mga2.noarch.rpm
kernel-vserver-source-latest-3.4.45-1.mga2.noarch.rpm

SRPMS:
kernel-vserver-3.4.45-1.mga2.src.rpm

Wiki » Support/Advisories/MGASA-2013-0151

MGASA-2013-0151

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools