Nome do pacote
kernel
Data
2014-06-13
ID Alerta
MDVSA-2014:124
Versões afetadas
MBS1 x86_64

Descrição do problema

Multiple vulnerabilities has been found and corrected in the Linux
kernel:

kernel/auditsc.c in the Linux kernel through 3.14.5, when
CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allows
local users to obtain potentially sensitive single-bit values from
kernel memory or cause a denial of service (OOPS) via a large value
of a syscall number (CVE-2014-3917).

The futex_requeue function in kernel/futex.c in the Linux kernel
through 3.14.5 does not ensure that calls have two different futex
addresses, which allows local users to gain privileges via a crafted
FUTEX_REQUEUE command that facilitates unsafe waiter modification
(CVE-2014-3153).

Race condition in the ath_tx_aggr_sleep function in
drivers/net/wireless/ath/ath9k/xmit.c in the Linux kernel before
3.13.7 allows remote attackers to cause a denial of service (system
crash) via a large amount of network traffic that triggers certain
list deletions (CVE-2014-2672).

The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension
implementations in the sk_run_filter function in net/core/filter.c
in the Linux kernel through 3.14.3 do not check whether a certain
length value is sufficiently large, which allows local users to
cause a denial of service (integer underflow and system crash)
via crafted BPF instructions. NOTE: the affected code was moved to
the __skb_get_nlattr and __skb_get_nlattr_nest functions before the
vulnerability was announced (CVE-2014-3144).

The BPF_S_ANC_NLATTR_NEST extension implementation in the sk_run_filter
function in net/core/filter.c in the Linux kernel through 3.14.3
uses the reverse order in a certain subtraction, which allows local
users to cause a denial of service (over-read and system crash) via
crafted BPF instructions. NOTE: the affected code was moved to the
__skb_get_nlattr_nest function before the vulnerability was announced
(CVE-2014-3145).

Integer overflow in the ping_init_sock function in net/ipv4/ping.c
in the Linux kernel through 3.14.1 allows local users to cause a
denial of service (use-after-free and system crash) or possibly gain
privileges via a crafted application that leverages an improperly
managed reference counter (CVE-2014-2851).

The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel
through 3.14.3 does not properly manage tty driver access in the LECHO
& !OPOST case, which allows local users to cause a denial of service
(memory corruption and system crash) or gain privileges by triggering
a race condition involving read and write operations with long strings
(CVE-2014-0196).

The raw_cmd_copyout function in drivers/block/floppy.c in the Linux
kernel through 3.14.3 does not properly restrict access to certain
pointers during processing of an FDRAWCMD ioctl call, which allows
local users to obtain sensitive information from kernel heap memory
by leveraging write access to a /dev/fd device (CVE-2014-1738).

The raw_cmd_copyin function in drivers/block/floppy.c in the Linux
kernel through 3.14.3 does not properly handle error conditions during
processing of an FDRAWCMD ioctl call, which allows local users to
trigger kfree operations and gain privileges by leveraging write
access to a /dev/fd device (CVE-2014-1737).

The rds_iw_laddr_check function in net/rds/iw.c in the Linux kernel
through 3.14 allows local users to cause a denial of service (NULL
pointer dereference and system crash) or possibly have unspecified
other impact via a bind system call for an RDS socket on a system
that lacks RDS transports (CVE-2014-2678).

drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable
buffers are disabled, does not properly validate packet lengths, which
allows guest OS users to cause a denial of service (memory corruption
and host OS crash) or possibly gain privileges on the host OS via
crafted packets, related to the handle_rx and get_rx_bufs functions
(CVE-2014-0077).

The ip6_route_add function in net/ipv6/route.c in the Linux kernel
through 3.13.6 does not properly count the addition of routes,
which allows remote attackers to cause a denial of service (memory
consumption) via a flood of ICMPv6 Router Advertisement packets
(CVE-2014-2309).

Multiple array index errors in drivers/hid/hid-multitouch.c in the
Human Interface Device (HID) subsystem in the Linux kernel through
3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate
attackers to cause a denial of service (heap memory corruption, or NULL
pointer dereference and OOPS) via a crafted device (CVE-2013-2897).

net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through
3.13.6 uses a DCCP header pointer incorrectly, which allows remote
attackers to cause a denial of service (system crash) or possibly
execute arbitrary code via a DCCP packet that triggers a call
to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function
(CVE-2014-2523).

Race condition in the mac80211 subsystem in the Linux kernel
before 3.13.7 allows remote attackers to cause a denial of service
(system crash) via network traffic that improperly interacts with the
WLAN_STA_PS_STA state (aka power-save mode), related to sta_info.c
and tx.c (CVE-2014-2706).

The sctp_sf_do_5_1D_ce function in net/sctp/sm_statefuns.c in the
Linux kernel through 3.13.6 does not validate certain auth_enable
and auth_capable fields before making an sctp_sf_authenticate call,
which allows remote attackers to cause a denial of service (NULL
pointer dereference and system crash) via an SCTP handshake with
a modified INIT chunk and a crafted AUTH chunk before a COOKIE_ECHO
chunk (CVE-2014-0101).

The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel
through 3.13.5 does not properly handle uncached write operations
that copy fewer than the requested number of bytes, which allows
local users to obtain sensitive information from kernel memory,
cause a denial of service (memory corruption and system crash),
or possibly gain privileges via a writev system call with a crafted
pointer (CVE-2014-0069).

arch/s390/kernel/head64.S in the Linux kernel before 3.13.5 on the s390
platform does not properly handle attempted use of the linkage stack,
which allows local users to cause a denial of service (system crash)
by executing a crafted instruction (CVE-2014-2039).

Buffer overflow in virt/kvm/irq_comm.c in the KVM subsystem in the
Linux kernel before 3.2.24 allows local users to cause a denial
of service (crash) and possibly execute arbitrary code via vectors
related to Message Signaled Interrupts (MSI), irq routing entries,
and an incorrect check by the setup_routing_entry function before
invoking the kvm_set_irq function (CVE-2012-2137).

The security_context_to_sid_core function in
security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows
local users to cause a denial of service (system crash) by leveraging
the CAP_MAC_ADMIN capability to set a zero-length security context
(CVE-2014-1874).

The updated packages provides a solution for these security issues.

Pacotes atualizados

MBS1 x86_64

 d4a1665d801553272f379aa8190d7208  mbs1/x86_64/cpupower-3.4.93-1.1.mbs1.x86_64.rpm
 dac586e9467ccffcb0f03d7d6902c714  mbs1/x86_64/kernel-firmware-3.4.93-1.1.mbs1.noarch.rpm
 d67bdbd6148b7e7f187244fc2fb17629  mbs1/x86_64/kernel-headers-3.4.93-1.1.mbs1.src.rpm
 6f011d528d57e6bfe3f348e124cc11d5  mbs1/x86_64/kernel-headers-3.4.93-1.1.mbs1.x86_64.rpm
 6d7935addb463a2dc0cec144390f0786  mbs1/x86_64/kernel-server-3.4.93-1.1.mbs1.x86_64.rpm
 c013f3a9ae5f48694d91bfac81169c67  mbs1/x86_64/kernel-server-devel-3.4.93-1.1.mbs1.x86_64.rpm
 87c7893b5fdfed6d766cac365e78f213  mbs1/x86_64/kernel-source-3.4.93-1.mbs1.noarch.rpm
 298e025c2b05845d67efc4566db3d152  mbs1/x86_64/lib64cpupower0-3.4.93-1.1.mbs1.x86_64.rpm
 45e43387ed27d1281fe5b15304f796f6  mbs1/x86_64/lib64cpupower-devel-3.4.93-1.1.mbs1.x86_64.rpm
 3a74f07a429ea1b403d676f73b7ecbf9  mbs1/x86_64/perf-3.4.93-1.1.mbs1.x86_64.rpm 
 bd6bd37cd3ff3b6844b04821d6da2779  mbs1/SRPMS/cpupower-3.4.93-1.1.mbs1.src.rpm
 88c98d0723446a0717159574e06d9e3b  mbs1/SRPMS/kernel-firmware-3.4.93-1.1.mbs1.src.rpm
 7a84b2886c92e812943c76b2faafd068  mbs1/SRPMS/kernel-server-3.4.93-1.1.mbs1.src.rpm
 7a431cec5f9862815f4d92f2ca1f8d9d  mbs1/SRPMS/kernel-source-3.4.93-1.mbs1.src.rpm
 65654157eb504295dbd05676ed40c968  mbs1/SRPMS/perf-3.4.93-1.1.mbs1.src.rpm

Referências