lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1XgVEX-0007aQ-0I@titan.mandriva.com>
Date: Tue, 21 Oct 2014 10:56:00 +0200
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2014:201 ] kernel

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:201
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : kernel
 Date    : October 21, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in the Linux
 kernel:
 
 The try_to_unmap_cluster function in mm/rmap.c in the Linux kernel
 before 3.14.3 does not properly consider which pages must be locked,
 which allows local users to cause a denial of service (system crash) by
 triggering a memory-usage pattern that requires removal of page-table
 mappings (CVE-2014-3122).
 
 Multiple stack-based buffer overflows in the magicmouse_raw_event
 function in drivers/hid/hid-magicmouse.c in the Magic Mouse HID driver
 in the Linux kernel through 3.16.3 allow physically proximate attackers
 to cause a denial of service (system crash) or possibly execute
 arbitrary code via a crafted device that provides a large amount of
 (1) EHCI or (2) XHCI data associated with an event (CVE-2014-3181).
 
 Array index error in the logi_dj_raw_event function in
 drivers/hid/hid-logitech-dj.c in the Linux kernel before 3.16.2 allows
 physically proximate attackers to execute arbitrary code or cause a
 denial of service (invalid kfree) via a crafted device that provides
 a malformed REPORT_TYPE_NOTIF_DEVICE_UNPAIRED value (CVE-2014-3182).
 
 The report_fixup functions in the HID subsystem in the Linux
 kernel before 3.16.2 might allow physically proximate attackers
 to cause a denial of service (out-of-bounds write) via a crafted
 device that provides a small report descriptor, related to
 (1) drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c,
 (3) drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c, (5)
 drivers/hid/hid-petalynx.c, and (6) drivers/hid/hid-sunplus.c
 (CVE-2014-3184).
 
 Multiple buffer overflows in the command_port_read_callback function in
 drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial Driver in
 the Linux kernel before 3.16.2 allow physically proximate attackers
 to execute arbitrary code or cause a denial of service (memory
 corruption and system crash) via a crafted device that provides a large
 amount of (1) EHCI or (2) XHCI data associated with a bulk response
 (CVE-2014-3185).
 
 Buffer overflow in the picolcd_raw_event function in
 devices/hid/hid-picolcd_core.c in the PicoLCD HID device driver in the
 Linux kernel through 3.16.3, as used in Android on Nexus 7 devices,
 allows physically proximate attackers to cause a denial of service
 (system crash) or possibly execute arbitrary code via a crafted device
 that sends a large report (CVE-2014-3186).
 
 arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390
 platform does not properly restrict address-space control operations
 in PTRACE_POKEUSR_AREA requests, which allows local users to obtain
 read and write access to kernel memory locations, and consequently gain
 privileges, via a crafted application that makes a ptrace system call
 (CVE-2014-3534).
 
 The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux
 kernel through 3.16.1 miscalculates the number of pages during the
 handling of a mapping failure, which allows guest OS users to (1)
 cause a denial of service (host OS memory corruption) or possibly
 have unspecified other impact by triggering a large gfn value or (2)
 cause a denial of service (host OS memory consumption) by triggering a
 small gfn value that leads to permanently pinned pages (CVE-2014-3601).
 
 The sctp_assoc_update function in net/sctp/associola.c in the
 Linux kernel through 3.15.8, when SCTP authentication is enabled,
 allows remote attackers to cause a denial of service (NULL pointer
 dereference and OOPS) by starting to establish an association between
 two endpoints immediately after an exchange of INIT and INIT ACK
 chunks to establish an earlier association between these endpoints
 in the opposite direction (CVE-2014-5077).
 
 The do_remount function in fs/namespace.c in the Linux kernel through
 3.16.1 does not maintain the MNT_LOCK_READONLY bit across a remount of
 a bind mount, which allows local users to bypass an intended read-only
 restriction and defeat certain sandbox protection mechanisms via a
 mount -o remount command within a user namespace (CVE-2014-5206).
 
 Stack consumption vulnerability in the parse_rock_ridge_inode_internal
 function in fs/isofs/rock.c in the Linux kernel through 3.16.1 allows
 local users to cause a denial of service (uncontrolled recursion, and
 system crash or reboot) via a crafted iso9660 image with a CL entry
 referring to a directory entry that has a CL entry (CVE-2014-5471).
 
 The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in
 the Linux kernel through 3.16.1 allows local users to cause a denial
 of service (unkillable mount process) via a crafted iso9660 image
 with a self-referential CL entry (CVE-2014-5472).
 
 The __udf_read_inode function in fs/udf/inode.c in the Linux kernel
 through 3.16.3 does not restrict the amount of ICB indirection, which
 allows physically proximate attackers to cause a denial of service
 (infinite loop or stack consumption) via a UDF filesystem with a
 crafted inode (CVE-2014-6410).
 
 The do_umount function in fs/namespace.c in the Linux kernel through
 3.17 does not require the CAP_SYS_ADMIN capability for do_remount_sb
 calls that change the root filesystem to read-only, which allows
 local users to cause a denial of service (loss of writability) by
 making certain unshare system calls, clearing the / MNT_LOCKED flag,
 and making an MNT_FORCE umount system call (CVE-2014-7975).
 
 The updated packages provides a solution for these security issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3122
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3181
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3182
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3184
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3185
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3186
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3534
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3601
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5077
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5206
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5471
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5472
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6410
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7975
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 706f1d3e028f5c472fae4cd5647fdf2c  mbs1/x86_64/cpupower-3.4.104-1.1.mbs1.x86_64.rpm
 0197c7237e6de17e12ed06e19a24a1f3  mbs1/x86_64/kernel-firmware-3.4.104-1.1.mbs1.noarch.rpm
 02105e0da2b67be743fc2fb09e5cb7bd  mbs1/x86_64/kernel-headers-3.4.104-1.1.mbs1.x86_64.rpm
 c7c658c1fb347718937a094224ac8253  mbs1/x86_64/kernel-server-3.4.104-1.1.mbs1.x86_64.rpm
 72d8fab7697670cbc0e133f60c5c9106  mbs1/x86_64/kernel-server-devel-3.4.104-1.1.mbs1.x86_64.rpm
 e4352dee03821deb157454ca1ee5c085  mbs1/x86_64/kernel-source-3.4.104-1.mbs1.noarch.rpm
 c7c93d2471a205797fa628405cee250b  mbs1/x86_64/lib64cpupower0-3.4.104-1.1.mbs1.x86_64.rpm
 09c3ce0b324c9f077a25435f2fadfa54  mbs1/x86_64/lib64cpupower-devel-3.4.104-1.1.mbs1.x86_64.rpm
 46e6313a2a74f0c6e5704a84ad6a9350  mbs1/x86_64/perf-3.4.104-1.1.mbs1.x86_64.rpm 
 6ba4c2613b0c731f74e349feb08aa7ed  mbs1/SRPMS/cpupower-3.4.104-1.1.mbs1.src.rpm
 fb946993475cccf1445d9dc5d03578f0  mbs1/SRPMS/kernel-firmware-3.4.104-1.1.mbs1.src.rpm
 ecd7276d9cbe6d58d0ff72437e942155  mbs1/SRPMS/kernel-headers-3.4.104-1.1.mbs1.src.rpm
 e47de9f04bd8c4fa65cd7064d7162beb  mbs1/SRPMS/kernel-server-3.4.104-1.1.mbs1.src.rpm
 0904c9462ac38c922acb9163c30733ff  mbs1/SRPMS/kernel-source-3.4.104-1.mbs1.src.rpm
 94ce7abe8ff4987551f0570443855114  mbs1/SRPMS/perf-3.4.104-1.1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFURhGCmqjQ0CJFipgRAoLRAKDR5wdSK1v3VCX41UNZ8jt4WXTXAgCg2cT9
1AkEOWCipx3+f5N53jNv2FE=
=R/oJ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ