BugTraq
[ MDVSA-2014:124 ] kernel Jun 13 2014 03:43PM
security mandriva com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2014:124
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : kernel
Date : June 13, 2014
Affected: Business Server 1.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been found and corrected in the Linux
kernel:

kernel/auditsc.c in the Linux kernel through 3.14.5, when
CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allows
local users to obtain potentially sensitive single-bit values from
kernel memory or cause a denial of service (OOPS) via a large value
of a syscall number (CVE-2014-3917).

The futex_requeue function in kernel/futex.c in the Linux kernel
through 3.14.5 does not ensure that calls have two different futex
addresses, which allows local users to gain privileges via a crafted
FUTEX_REQUEUE command that facilitates unsafe waiter modification
(CVE-2014-3153).

Race condition in the ath_tx_aggr_sleep function in
drivers/net/wireless/ath/ath9k/xmit.c in the Linux kernel before
3.13.7 allows remote attackers to cause a denial of service (system
crash) via a large amount of network traffic that triggers certain
list deletions (CVE-2014-2672).

The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension
implementations in the sk_run_filter function in net/core/filter.c
in the Linux kernel through 3.14.3 do not check whether a certain
length value is sufficiently large, which allows local users to
cause a denial of service (integer underflow and system crash)
via crafted BPF instructions. NOTE: the affected code was moved to
the __skb_get_nlattr and __skb_get_nlattr_nest functions before the
vulnerability was announced (CVE-2014-3144).

The BPF_S_ANC_NLATTR_NEST extension implementation in the sk_run_filter
function in net/core/filter.c in the Linux kernel through 3.14.3
uses the reverse order in a certain subtraction, which allows local
users to cause a denial of service (over-read and system crash) via
crafted BPF instructions. NOTE: the affected code was moved to the
__skb_get_nlattr_nest function before the vulnerability was announced
(CVE-2014-3145).

Integer overflow in the ping_init_sock function in net/ipv4/ping.c
in the Linux kernel through 3.14.1 allows local users to cause a
denial of service (use-after-free and system crash) or possibly gain
privileges via a crafted application that leverages an improperly
managed reference counter (CVE-2014-2851).

The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel
through 3.14.3 does not properly manage tty driver access in the LECHO
& !OPOST case, which allows local users to cause a denial of service
(memory corruption and system crash) or gain privileges by triggering
a race condition involving read and write operations with long strings
(CVE-2014-0196).

The raw_cmd_copyout function in drivers/block/floppy.c in the Linux
kernel through 3.14.3 does not properly restrict access to certain
pointers during processing of an FDRAWCMD ioctl call, which allows
local users to obtain sensitive information from kernel heap memory
by leveraging write access to a /dev/fd device (CVE-2014-1738).

The raw_cmd_copyin function in drivers/block/floppy.c in the Linux
kernel through 3.14.3 does not properly handle error conditions during
processing of an FDRAWCMD ioctl call, which allows local users to
trigger kfree operations and gain privileges by leveraging write
access to a /dev/fd device (CVE-2014-1737).

The rds_iw_laddr_check function in net/rds/iw.c in the Linux kernel
through 3.14 allows local users to cause a denial of service (NULL
pointer dereference and system crash) or possibly have unspecified
other impact via a bind system call for an RDS socket on a system
that lacks RDS transports (CVE-2014-2678).

drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable
buffers are disabled, does not properly validate packet lengths, which
allows guest OS users to cause a denial of service (memory corruption
and host OS crash) or possibly gain privileges on the host OS via
crafted packets, related to the handle_rx and get_rx_bufs functions
(CVE-2014-0077).

The ip6_route_add function in net/ipv6/route.c in the Linux kernel
through 3.13.6 does not properly count the addition of routes,
which allows remote attackers to cause a denial of service (memory
consumption) via a flood of ICMPv6 Router Advertisement packets
(CVE-2014-2309).

Multiple array index errors in drivers/hid/hid-multitouch.c in the
Human Interface Device (HID) subsystem in the Linux kernel through
3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate
attackers to cause a denial of service (heap memory corruption, or NULL
pointer dereference and OOPS) via a crafted device (CVE-2013-2897).

net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through
3.13.6 uses a DCCP header pointer incorrectly, which allows remote
attackers to cause a denial of service (system crash) or possibly
execute arbitrary code via a DCCP packet that triggers a call
to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function
(CVE-2014-2523).

Race condition in the mac80211 subsystem in the Linux kernel
before 3.13.7 allows remote attackers to cause a denial of service
(system crash) via network traffic that improperly interacts with the
WLAN_STA_PS_STA state (aka power-save mode), related to sta_info.c
and tx.c (CVE-2014-2706).

The sctp_sf_do_5_1D_ce function in net/sctp/sm_statefuns.c in the
Linux kernel through 3.13.6 does not validate certain auth_enable
and auth_capable fields before making an sctp_sf_authenticate call,
which allows remote attackers to cause a denial of service (NULL
pointer dereference and system crash) via an SCTP handshake with
a modified INIT chunk and a crafted AUTH chunk before a COOKIE_ECHO
chunk (CVE-2014-0101).

The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel
through 3.13.5 does not properly handle uncached write operations
that copy fewer than the requested number of bytes, which allows
local users to obtain sensitive information from kernel memory,
cause a denial of service (memory corruption and system crash),
or possibly gain privileges via a writev system call with a crafted
pointer (CVE-2014-0069).

arch/s390/kernel/head64.S in the Linux kernel before 3.13.5 on the s390
platform does not properly handle attempted use of the linkage stack,
which allows local users to cause a denial of service (system crash)
by executing a crafted instruction (CVE-2014-2039).

Buffer overflow in virt/kvm/irq_comm.c in the KVM subsystem in the
Linux kernel before 3.2.24 allows local users to cause a denial
of service (crash) and possibly execute arbitrary code via vectors
related to Message Signaled Interrupts (MSI), irq routing entries,
and an incorrect check by the setup_routing_entry function before
invoking the kvm_set_irq function (CVE-2012-2137).

The security_context_to_sid_core function in
security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows
local users to cause a denial of service (system crash) by leveraging
the CAP_MAC_ADMIN capability to set a zero-length security context
(CVE-2014-1874).

The updated packages provides a solution for these security issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2137
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2897
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0069
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0077
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1737
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1874
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2039
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2309
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2523
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2672
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2678
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2706
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2851
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3144
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3145
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3153
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3917
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:
d4a1665d801553272f379aa8190d7208 mbs1/x86_64/cpupower-3.4.93-1.1.mbs1.x86_64.rpm
dac586e9467ccffcb0f03d7d6902c714 mbs1/x86_64/kernel-firmware-3.4.93-1.1.mbs1.noarch.rpm
d67bdbd6148b7e7f187244fc2fb17629 mbs1/x86_64/kernel-headers-3.4.93-1.1.mbs1.src.rpm
6f011d528d57e6bfe3f348e124cc11d5 mbs1/x86_64/kernel-headers-3.4.93-1.1.mbs1.x86_64.rpm
6d7935addb463a2dc0cec144390f0786 mbs1/x86_64/kernel-server-3.4.93-1.1.mbs1.x86_64.rpm
c013f3a9ae5f48694d91bfac81169c67 mbs1/x86_64/kernel-server-devel-3.4.93-1.1.mbs1.x86_64.rpm
87c7893b5fdfed6d766cac365e78f213 mbs1/x86_64/kernel-source-3.4.93-1.mbs1.noarch.rpm
298e025c2b05845d67efc4566db3d152 mbs1/x86_64/lib64cpupower0-3.4.93-1.1.mbs1.x86_64.rpm
45e43387ed27d1281fe5b15304f796f6 mbs1/x86_64/lib64cpupower-devel-3.4.93-1.1.mbs1.x86_64.rpm
3a74f07a429ea1b403d676f73b7ecbf9 mbs1/x86_64/perf-3.4.93-1.1.mbs1.x86_64.rpm
bd6bd37cd3ff3b6844b04821d6da2779 mbs1/SRPMS/cpupower-3.4.93-1.1.mbs1.src.rpm
88c98d0723446a0717159574e06d9e3b mbs1/SRPMS/kernel-firmware-3.4.93-1.1.mbs1.src.rpm
7a84b2886c92e812943c76b2faafd068 mbs1/SRPMS/kernel-server-3.4.93-1.1.mbs1.src.rpm
7a431cec5f9862815f4d92f2ca1f8d9d mbs1/SRPMS/kernel-source-3.4.93-1.mbs1.src.rpm
65654157eb504295dbd05676ed40c968 mbs1/SRPMS/perf-3.4.93-1.1.mbs1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFTmvH3mqjQ0CJFipgRAjgaAKDtCfvK/cukQMyPkhdgllxaobQHFQCdHoJo
g42VcK2YoEgcX9BPP3/zfWg=
=4uZg
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus