lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1Ur7KG-0000Yh-Bm@titan.mandriva.com>
Date: Mon, 24 Jun 2013 16:01:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2013:176 ] kernel

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2013:176
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : kernel
 Date    : June 24, 2013
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in the Linux
 kernel:
 
 The scm_set_cred function in include/net/scm.h in the Linux kernel
 before 3.8.11 uses incorrect uid and gid values during credentials
 passing, which allows local users to gain privileges via a crafted
 application. (CVE-2013-1979)
 
 The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel
 before 3.9-rc7 does not initialize a certain data structure, which
 allows local users to obtain sensitive information from kernel stack
 memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3232)
 
 net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not
 initialize a certain data structure and a certain length variable,
 which allows local users to obtain sensitive information from
 kernel stack memory via a crafted recvmsg or recvfrom system
 call. (CVE-2013-3235)
 
 The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel
 before 3.9-rc7 does not initialize a certain data structure, which
 allows local users to obtain sensitive information from kernel stack
 memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3234)
 
 The llcp_sock_recvmsg function in net/nfc/llcp/sock.c in the Linux
 kernel before 3.9-rc7 does not initialize a certain length variable
 and a certain data structure, which allows local users to obtain
 sensitive information from kernel stack memory via a crafted recvmsg
 or recvfrom system call. (CVE-2013-3233)
 
 The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel
 before 3.9-rc7 does not initialize a certain length variable, which
 allows local users to obtain sensitive information from kernel stack
 memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3231)
 
 The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the
 Linux kernel before 3.9-rc7 does not initialize a certain length
 variable, which allows local users to obtain sensitive information
 from kernel stack memory via a crafted recvmsg or recvfrom system
 call. (CVE-2013-3229)
 
 The irda_recvmsg_dgram function in net/irda/af_irda.c in the
 Linux kernel before 3.9-rc7 does not initialize a certain length
 variable, which allows local users to obtain sensitive information
 from kernel stack memory via a crafted recvmsg or recvfrom system
 call. (CVE-2013-3228)
 
 The caif_seqpkt_recvmsg function in net/caif/caif_socket.c in the
 Linux kernel before 3.9-rc7 does not initialize a certain length
 variable, which allows local users to obtain sensitive information
 from kernel stack memory via a crafted recvmsg or recvfrom system
 call. (CVE-2013-3227)
 
 The rfcomm_sock_recvmsg function in net/bluetooth/rfcomm/sock.c in
 the Linux kernel before 3.9-rc7 does not initialize a certain length
 variable, which allows local users to obtain sensitive information
 from kernel stack memory via a crafted recvmsg or recvfrom system
 call. (CVE-2013-3225)
 
 The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in
 the Linux kernel before 3.9-rc7 does not properly initialize a
 certain length variable, which allows local users to obtain sensitive
 information from kernel stack memory via a crafted recvmsg or recvfrom
 system call. (CVE-2013-3224)
 
 The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel
 before 3.9-rc7 does not initialize a certain data structure, which
 allows local users to obtain sensitive information from kernel stack
 memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3223)
 
 The vcc_recvmsg function in net/atm/common.c in the Linux kernel
 before 3.9-rc7 does not initialize a certain length variable, which
 allows local users to obtain sensitive information from kernel stack
 memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3222)
 
 Integer overflow in the fb_mmap function in drivers/video/fbmem.c in
 the Linux kernel before 3.8.9, as used in a certain Motorola build
 of Android 4.1.2 and other products, allows local users to create
 a read-write memory mapping for the entirety of kernel memory,
 and consequently gain privileges, via crafted /dev/graphics/fb0
 mmap2 system calls, as demonstrated by the Motochopper pwn
 program. (CVE-2013-2596)
 
 arch/x86/kernel/cpu/perf_event_intel.c in the Linux kernel before
 3.8.9, when the Performance Events Subsystem is enabled, specifies
 an incorrect bitmask, which allows local users to cause a denial of
 service (general protection fault and system crash) by attempting to
 set a reserved bit. (CVE-2013-2146)
 
 The perf_swevent_init function in kernel/events/core.c in the Linux
 kernel before 3.8.9 uses an incorrect integer data type, which allows
 local users to gain privileges via a crafted perf_event_open system
 call. (CVE-2013-2094)
 
 The ioapic_read_indirect function in virt/kvm/ioapic.c in the Linux
 kernel through 3.8.4 does not properly handle a certain combination
 of invalid IOAPIC_REG_SELECT and IOAPIC_REG_WINDOW operations, which
 allows guest OS users to obtain sensitive information from host OS
 memory or cause a denial of service (host OS OOPS) via a crafted
 application. (CVE-2013-1798)
 
 Use-after-free vulnerability in arch/x86/kvm/x86.c in the Linux kernel
 through 3.8.4 allows guest OS users to cause a denial of service (host
 OS memory corruption) or possibly have unspecified other impact via a
 crafted application that triggers use of a guest physical address (GPA)
 in (1) movable or (2) removable memory during an MSR_KVM_SYSTEM_TIME
 kvm_set_msr_common operation. (CVE-2013-1797)
 
 The kvm_set_msr_common function in arch/x86/kvm/x86.c in the Linux
 kernel through 3.8.4 does not ensure a required time_page alignment
 during an MSR_KVM_SYSTEM_TIME operation, which allows guest OS users
 to cause a denial of service (buffer overflow and host OS memory
 corruption) or possibly have unspecified other impact via a crafted
 application. (CVE-2013-1796)
 
 The do_tkill function in kernel/signal.c in the Linux kernel before
 3.8.9 does not initialize a certain data structure, which allows
 local users to obtain sensitive information from kernel memory via
 a crafted application that makes a (1) tkill or (2) tgkill system
 call. (CVE-2013-2141)
 
 Heap-based buffer overflow in the tg3_read_vpd function in
 drivers/net/ethernet/broadcom/tg3.c in the Linux kernel before 3.8.6
 allows physically proximate attackers to cause a denial of service
 (system crash) or possibly execute arbitrary code via crafted firmware
 that specifies a long string in the Vital Product Data (VPD) data
 structure. (CVE-2013-1929)
 
 The main function in tools/hv/hv_kvp_daemon.c in hypervkvpd, as
 distributed in the Linux kernel before 3.8-rc1, allows local users
 to cause a denial of service (daemon exit) via a crafted application
 that sends a Netlink message. NOTE: this vulnerability exists because
 of an incorrect fix for CVE-2012-2669. (CVE-2012-5532)
 
 The udf_encode_fh function in fs/udf/namei.c in the Linux kernel
 before 3.6 does not initialize a certain structure member, which
 allows local users to obtain sensitive information from kernel heap
 memory via a crafted application. (CVE-2012-6548)
 
 The isofs_export_encode_fh function in fs/isofs/export.c in the Linux
 kernel before 3.6 does not initialize a certain structure member,
 which allows local users to obtain sensitive information from kernel
 heap memory via a crafted application. (CVE-2012-6549)
 
 net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not
 initialize certain structures, which allows local users to obtain
 sensitive information from kernel stack memory via a crafted
 application. (CVE-2013-2634)
 
 The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux
 kernel before 3.8.4 does not initialize a certain structure member,
 which allows local users to obtain sensitive information from kernel
 stack memory via a crafted application. (CVE-2013-2635)
 
 fs/ext3/super.c in the Linux kernel before 3.8.4 uses incorrect
 arguments to functions in certain circumstances related to printk
 input, which allows local users to conduct format-string attacks and
 possibly gain privileges via a crafted application. (CVE-2013-1848)
 
 The flush_signal_handlers function in kernel/signal.c in the Linux
 kernel before 3.8.4 preserves the value of the sa_restorer field across
 an exec operation, which makes it easier for local users to bypass
 the ASLR protection mechanism via a crafted application containing
 a sigaction system call. (CVE-2013-0914)
 
 Heap-based buffer overflow in the wdm_in_callback function in
 drivers/usb/class/cdc-wdm.c in the Linux kernel before 3.8.4 allows
 physically proximate attackers to cause a denial of service (system
 crash) or possibly execute arbitrary code via a crafted cdc-wdm USB
 device. (CVE-2013-1860)
 
 Race condition in the install_user_keyrings function in
 security/keys/process_keys.c in the Linux kernel before 3.8.3 allows
 local users to cause a denial of service (NULL pointer dereference
 and system crash) via crafted keyctl system calls that trigger keyring
 operations in simultaneous threads. (CVE-2013-1792)
 
 The report API in the crypto user configuration API in the Linux
 kernel through 3.8.2 uses an incorrect C library function for
 copying strings, which allows local users to obtain sensitive
 information from kernel stack memory by leveraging the CAP_NET_ADMIN
 capability. (CVE-2013-2546)
 
 The crypto_report_one function in crypto/crypto_user.c in the report
 API in the crypto user configuration API in the Linux kernel through
 3.8.2 does not initialize certain structure members, which allows
 local users to obtain sensitive information from kernel heap memory
 by leveraging the CAP_NET_ADMIN capability. (CVE-2013-2547)
 
 The crypto_report_one function in crypto/crypto_user.c in the report
 API in the crypto user configuration API in the Linux kernel through
 3.8.2 uses an incorrect length value during a copy operation, which
 allows local users to obtain sensitive information from kernel memory
 by leveraging the CAP_NET_ADMIN capability. (CVE-2013-2548)
 
 The translate_desc function in drivers/vhost/vhost.c in the Linux
 kernel before 3.7 does not properly handle cross-region descriptors,
 which allows guest OS users to obtain host OS privileges by leveraging
 KVM guest OS privileges. (CVE-2013-0311)
 
 Array index error in the __sock_diag_rcv_msg function in
 net/core/sock_diag.c in the Linux kernel before 3.7.10 allows local
 users to gain privileges via a large family value in a Netlink
 message. (CVE-2013-1763)
 
 The __skb_recv_datagram function in net/core/datagram.c in the
 Linux kernel before 3.8 does not properly handle the MSG_PEEK
 flag with zero-length data, which allows local users to cause a
 denial of service (infinite loop and system hang) via a crafted
 application. (CVE-2013-0290)
 
 Use-after-free vulnerability in the shmem_remount_fs function in
 mm/shmem.c in the Linux kernel before 3.7.10 allows local users to gain
 privileges or cause a denial of service (system crash) by remounting
 a tmpfs filesystem without specifying a required mpol (aka mempolicy)
 mount option. (CVE-2013-1767)
 
 The xen_iret function in arch/x86/xen/xen-asm_32.S in the Linux
 kernel before 3.7.9 on 32-bit Xen paravirt_ops platforms does not
 properly handle an invalid value in the DS segment register, which
 allows guest OS users to gain guest OS privileges via a crafted
 application. (CVE-2013-0228)
 
 Memory leak in drivers/net/xen-netback/netback.c in the Xen netback
 functionality in the Linux kernel before 3.7.8 allows guest OS users to
 cause a denial of service (memory consumption) by triggering certain
 error conditions. (CVE-2013-0217)
 
 The Xen netback functionality in the Linux kernel before 3.7.8 allows
 guest OS users to cause a denial of service (loop) by triggering ring
 pointer corruption. (CVE-2013-0216)
 
 The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel
 before 3.6 does not initialize a certain structure, which allows
 local users to obtain sensitive information from kernel stack memory
 via a crafted application. (CVE-2012-6547)
 
 The updated packages provides a solution for these security issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5532
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6548
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6549
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0216
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0217
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0228
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0290
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0311
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0914
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1763
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1767
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1792
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1796
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1797
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1798
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1848
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1860
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1929
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1979
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2094
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2141
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2146
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2546
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2547
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2548
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2596
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2634
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2635
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3222
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3223
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3224
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3225
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3227
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3228
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3229
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3231
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3232
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3233
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3234
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3235
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6547
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 18e9c66d24025c64c10061ee756cde94  mbs1/x86_64/cpupower-3.4.47-1.1.mbs1.x86_64.rpm
 c53e69d993ec8198946a1f79b6f176c7  mbs1/x86_64/kernel-firmware-3.4.47-1.1.mbs1.noarch.rpm
 85a491506af457e4d919f0feed86d3b4  mbs1/x86_64/kernel-headers-3.4.47-1.1.mbs1.x86_64.rpm
 7681c37810fd52a5710fb46d0502723c  mbs1/x86_64/kernel-server-3.4.47-1.1.mbs1.x86_64.rpm
 08de7d2c63af7a82ac8f3805278f8f8c  mbs1/x86_64/kernel-server-devel-3.4.47-1.1.mbs1.x86_64.rpm
 dee143b63190ecd7fe64ba6452f5f21a  mbs1/x86_64/kernel-source-3.4.47-1.mbs1.noarch.rpm
 1fcb9093c61dfcf5c4a418052566839a  mbs1/x86_64/lib64cpupower0-3.4.47-1.1.mbs1.x86_64.rpm
 60887002e9fa519d3fd9633b98fe61e1  mbs1/x86_64/lib64cpupower-devel-3.4.47-1.1.mbs1.x86_64.rpm
 21bc503c22fc140933931d36af14b476  mbs1/x86_64/perf-3.4.47-1.1.mbs1.x86_64.rpm 
 574fe1f4865a9273255c020cc514d43e  mbs1/SRPMS/cpupower-3.4.47-1.1.mbs1.src.rpm
 f8ab20c86ad594e3f81696ea53aa3822  mbs1/SRPMS/kernel-firmware-3.4.47-1.1.mbs1.src.rpm
 073d35cb2c5028c1d76f9fca733272c3  mbs1/SRPMS/kernel-headers-3.4.47-1.1.mbs1.src.rpm
 70f7ad8e33b8d008aaf64c2b0ee1c12e  mbs1/SRPMS/kernel-server-3.4.47-1.1.mbs1.src.rpm
 660ac2b2898832943de84c2441255a63  mbs1/SRPMS/kernel-source-3.4.47-1.mbs1.src.rpm
 66d52ffc68df7d2710e95cf3d87384f0  mbs1/SRPMS/perf-3.4.47-1.1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRyE83mqjQ0CJFipgRAgpsAKDCNZxW0lBVmcEPovg8gYgjVzLm4wCgpzoW
s4hnEgkN4Re4xoskJoTdPM0=
=gyQf
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists