-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:124 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : kernel Date : June 13, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been found and corrected in the Linux kernel: kernel/auditsc.c in the Linux kernel through 3.14.5, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allows local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS) via a large value of a syscall number (CVE-2014-3917). The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification (CVE-2014-3153). Race condition in the ath_tx_aggr_sleep function in drivers/net/wireless/ath/ath9k/xmit.c in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via a large amount of network traffic that triggers certain list deletions (CVE-2014-2672). The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension implementations in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 do not check whether a certain length value is sufficiently large, which allows local users to cause a denial of service (integer underflow and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr and __skb_get_nlattr_nest functions before the vulnerability was announced (CVE-2014-3144). The BPF_S_ANC_NLATTR_NEST extension implementation in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 uses the reverse order in a certain subtraction, which allows local users to cause a denial of service (over-read and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr_nest function before the vulnerability was announced (CVE-2014-3145). Integer overflow in the ping_init_sock function in net/ipv4/ping.c in the Linux kernel through 3.14.1 allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that leverages an improperly managed reference counter (CVE-2014-2851). The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the LECHO & !OPOST case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings (CVE-2014-0196). The raw_cmd_copyout function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly restrict access to certain pointers during processing of an FDRAWCMD ioctl call, which allows local users to obtain sensitive information from kernel heap memory by leveraging write access to a /dev/fd device (CVE-2014-1738). The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device (CVE-2014-1737). The rds_iw_laddr_check function in net/rds/iw.c in the Linux kernel through 3.14 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports (CVE-2014-2678). drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions (CVE-2014-0077). The ip6_route_add function in net/ipv6/route.c in the Linux kernel through 3.13.6 does not properly count the addition of routes, which allows remote attackers to cause a denial of service (memory consumption) via a flood of ICMPv6 Router Advertisement packets (CVE-2014-2309). Multiple array index errors in drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate attackers to cause a denial of service (heap memory corruption, or NULL pointer dereference and OOPS) via a crafted device (CVE-2013-2897). net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function (CVE-2014-2523). Race condition in the mac80211 subsystem in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via network traffic that improperly interacts with the WLAN_STA_PS_STA state (aka power-save mode), related to sta_info.c and tx.c (CVE-2014-2706). The sctp_sf_do_5_1D_ce function in net/sctp/sm_statefuns.c in the Linux kernel through 3.13.6 does not validate certain auth_enable and auth_capable fields before making an sctp_sf_authenticate call, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an SCTP handshake with a modified INIT chunk and a crafted AUTH chunk before a COOKIE_ECHO chunk (CVE-2014-0101). The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel through 3.13.5 does not properly handle uncached write operations that copy fewer than the requested number of bytes, which allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory corruption and system crash), or possibly gain privileges via a writev system call with a crafted pointer (CVE-2014-0069). arch/s390/kernel/head64.S in the Linux kernel before 3.13.5 on the s390 platform does not properly handle attempted use of the linkage stack, which allows local users to cause a denial of service (system crash) by executing a crafted instruction (CVE-2014-2039). Buffer overflow in virt/kvm/irq_comm.c in the KVM subsystem in the Linux kernel before 3.2.24 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to Message Signaled Interrupts (MSI), irq routing entries, and an incorrect check by the setup_routing_entry function before invoking the kvm_set_irq function (CVE-2012-2137). The security_context_to_sid_core function in security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows local users to cause a denial of service (system crash) by leveraging the CAP_MAC_ADMIN capability to set a zero-length security context (CVE-2014-1874). The updated packages provides a solution for these security issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2137 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2897 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0069 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1737 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1874 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2039 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2309 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2523 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2672 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2678 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2706 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2851 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3144 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3145 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3153 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3917 _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: d4a1665d801553272f379aa8190d7208 mbs1/x86_64/cpupower-3.4.93-1.1.mbs1.x86_64.rpm dac586e9467ccffcb0f03d7d6902c714 mbs1/x86_64/kernel-firmware-3.4.93-1.1.mbs1.noarch.rpm d67bdbd6148b7e7f187244fc2fb17629 mbs1/x86_64/kernel-headers-3.4.93-1.1.mbs1.src.rpm 6f011d528d57e6bfe3f348e124cc11d5 mbs1/x86_64/kernel-headers-3.4.93-1.1.mbs1.x86_64.rpm 6d7935addb463a2dc0cec144390f0786 mbs1/x86_64/kernel-server-3.4.93-1.1.mbs1.x86_64.rpm c013f3a9ae5f48694d91bfac81169c67 mbs1/x86_64/kernel-server-devel-3.4.93-1.1.mbs1.x86_64.rpm 87c7893b5fdfed6d766cac365e78f213 mbs1/x86_64/kernel-source-3.4.93-1.mbs1.noarch.rpm 298e025c2b05845d67efc4566db3d152 mbs1/x86_64/lib64cpupower0-3.4.93-1.1.mbs1.x86_64.rpm 45e43387ed27d1281fe5b15304f796f6 mbs1/x86_64/lib64cpupower-devel-3.4.93-1.1.mbs1.x86_64.rpm 3a74f07a429ea1b403d676f73b7ecbf9 mbs1/x86_64/perf-3.4.93-1.1.mbs1.x86_64.rpm bd6bd37cd3ff3b6844b04821d6da2779 mbs1/SRPMS/cpupower-3.4.93-1.1.mbs1.src.rpm 88c98d0723446a0717159574e06d9e3b mbs1/SRPMS/kernel-firmware-3.4.93-1.1.mbs1.src.rpm 7a84b2886c92e812943c76b2faafd068 mbs1/SRPMS/kernel-server-3.4.93-1.1.mbs1.src.rpm 7a431cec5f9862815f4d92f2ca1f8d9d mbs1/SRPMS/kernel-source-3.4.93-1.mbs1.src.rpm 65654157eb504295dbd05676ed40c968 mbs1/SRPMS/perf-3.4.93-1.1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTmvH3mqjQ0CJFipgRAjgaAKDtCfvK/cukQMyPkhdgllxaobQHFQCdHoJo g42VcK2YoEgcX9BPP3/zfWg= =4uZg -----END PGP SIGNATURE-----