http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=864745d291b5ba80ea0bd0edcbe67273de368836

RHSA-2013:0744

http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.5.7

[oss-security] 20130307 Re: CVE Requests (maybe): Linux kernel: various info leaks, some NULL ptr derefs

USN-1829-1

https://bugzilla.redhat.com/show_bug.cgi?id=919384

https://github.com/torvalds/linux/commit/864745d291b5ba80ea0bd0edcbe67273de368836

Description of changes:


[2.6.32-400.29.1.el6uek]
- KVM: add missing void __user COPYING CREDITS Documentation Kbuild MAINTAINERS Makefile README REPORTING-BUGS arch block crypto drivers firmware fs include init ipc kernel lib mm net samples scripts security sound tools uek-rpm usr virt cast to access_ok() call (Heiko Carstens) [Orabug: 16941620] {CVE-2013-1943}
- KVM: Validate userspace_addr of memslot when registered (Takuya Yoshikawa) [Orabug: 16941620] {CVE-2013-1943}

[2.6.32-400.28.1.el6uek]
- do_add_mount()/umount -l races (Jerry Snitselaar) [Orabug: 16311974]
- tg3: fix length overflow in VPD firmware parsing (Kees Cook) [Orabug: 16837019] {CVE-2013-1929}
- USB: cdc-wdm: fix buffer overflow (Oliver Neukum) [Orabug: 16837003] {CVE-2013-1860}
- bonding: emit event when bonding changes MAC (Weiping Pan) [Orabug: 16579025]
- sched: Fix ancient race in do_exit() (Joe Jin)
- open debug in page_move_anon_rmap by default. (Xiaowei.Hu) [Orabug: 14046035]
- block: default SCSI command filter does not accomodate commands overlap across device classes (Jamie Iles) [Orabug: 16387136] {CVE-2012-4542}
- vma_adjust: fix the copying of anon_vma chains (Linus Torvalds) [Orabug: 14046035]
- xen-netfront: delay gARP until backend switches to Connected (Laszlo Ersek) [Orabug: 16182568]
- svcrpc: don't hold sv_lock over svc_xprt_put() (J. Bruce Fields) [Orabug: 16032824]
- mm/hotplug: correctly add new zone to all other nodes' zone lists (Jiang Liu) [Orabug: 16603569] {CVE-2012-5517}
- ptrace: ptrace_resume() shouldn't wake up !TASK_TRACED thread (Oleg Nesterov) [Orabug: 16405868] {CVE-2013-0871}
- ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL (Oleg Nesterov) [Orabug: 16405868] {CVE-2013-0871}
- ptrace: introduce signal_wake_up_state() and ptrace_signal_wake_up() (Oleg Nesterov) [Orabug: 16405868] {CVE-2013-0871}
- Bluetooth: Fix incorrect strncpy() in hidp_setup_hid() (Anderson Lizardo) [Orabug: 16711062] {CVE-2013-0349}
- dccp: check ccid before dereferencing (Mathias Krause) [Orabug: 16711040] {CVE-2013-1827}
- USB: io_ti: Fix NULL dereference in chase_port() (Wolfgang Frisch) [Orabug: 16425435] {CVE-2013-1774}
- keys: fix race with concurrent install_user_keyrings() (David Howells) [Orabug: 16493369] {CVE-2013-1792}
- KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) (Andy Honig) [Orabug: 16710937] {CVE-2013-1798}
- KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) (Jerry Snitselaar) [Orabug: 16710794] {CVE-2013-1796}

[2.6.32-400.27.1.el6uek]
- net/tun: fix ioctl() based info leaks (Mathias Krause) [Orabug: 16675501] {CVE-2012-6547}
- atm: fix info leak via getsockname() (Mathias Krause) [Orabug: 16675501] {CVE-2012-6546}
- atm: fix info leak in getsockopt(SO_ATMPVC) (Mathias Krause) [Orabug: 16675501] {CVE-2012-6546}
- xfrm_user: fix info leak in copy_to_user_tmpl() (Mathias Krause) [Orabug: 16675501] {CVE-2012-6537}
- xfrm_user: fix info leak in copy_to_user_policy() (Mathias Krause) [Orabug: 16675501] {CVE-2012-6537}
- xfrm_user: fix info leak in copy_to_user_state() (Mathias Krause) [Orabug: 16675501] {CVE-2013-6537}
- xfrm_user: return error pointer instead of NULL #2 (Mathias Krause) [Orabug: 16675501] {CVE-2013-1826}
- xfrm_user: return error pointer instead of NULL (Mathias Krause) [Orabug: 16675501] {CVE-2013-1826}
- llc: fix info leak via getsockname() (Mathias Krause) [Orabug: 16675501] {CVE-2012-6542}
- x86/mm: Check if PUD is large when validating a kernel address (Mel Gorman) [Orabug: 14251997]

Description of changes:

kernel-uek [2.6.32-400.26.2.el6uek]
- mm/hotplug: correctly add new zone to all other nodes' zone lists (Jiang Liu) [Orabug: 16603569] {CVE-2012-5517}
- ptrace: ptrace_resume() shouldn't wake up !TASK_TRACED thread (Oleg Nesterov) [Orabug: 16405868] {CVE-2013-0871}
- ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL (Oleg Nesterov) [Orabug: 16405868] {CVE-2013-0871}
- ptrace: introduce signal_wake_up_state() and ptrace_signal_wake_up() (Oleg Nesterov) [Orabug: 16405868] {CVE-2013-0871}
- Bluetooth: Fix incorrect strncpy() in hidp_setup_hid() (Anderson Lizardo) [Orabug: 16711062] {CVE-2013-0349}
- dccp: check ccid before dereferencing (Mathias Krause) [Orabug: 16711040] {CVE-2013-1827}
- USB: io_ti: Fix NULL dereference in chase_port() (Wolfgang Frisch) [Orabug: 16425435] {CVE-2013-1774}
- keys: fix race with concurrent install_user_keyrings() (David Howells) [Orabug: 16493369] {CVE-2013-1792}
- KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) (Andy Honig) [Orabug: 16710937] {CVE-2013-1798}
- KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) (Jerry Snitselaar) [Orabug: 16710794] {CVE-2013-1796}
- net/tun: fix ioctl() based info leaks (Mathias Krause) [Orabug: 16675501] {CVE-2012-6547}
- atm: fix info leak via getsockname() (Mathias Krause) [Orabug: 16675501] {CVE-2012-6546}
- atm: fix info leak in getsockopt(SO_ATMPVC) (Mathias Krause) [Orabug: 16675501] {CVE-2012-6546}
- xfrm_user: fix info leak in copy_to_user_tmpl() (Mathias Krause) [Orabug: 16675501] {CVE-2012-6537}
- xfrm_user: fix info leak in copy_to_user_policy() (Mathias Krause) [Orabug: 16675501] {CVE-2012-6537}
- xfrm_user: fix info leak in copy_to_user_state() (Mathias Krause) [Orabug: 16675501] {CVE-2013-6537}
- xfrm_user: return error pointer instead of NULL #2 (Mathias Krause) [Orabug: 16675501] {CVE-2013-1826}
- xfrm_user: return error pointer instead of NULL (Mathias Krause) [Orabug: 16675501] {CVE-2013-1826}

From Red Hat Security Advisory 2013:0747 :

Updated kernel packages that fix several security issues and three bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A flaw was found in the Xen netback driver implementation in the Linux kernel. A privileged guest user with access to a para-virtualized network device could use this flaw to cause a long loop in netback, leading to a denial of service that could potentially affect the entire system. (CVE-2013-0216, Moderate)

* A flaw was found in the Xen PCI device back-end driver implementation in the Linux kernel. A privileged guest user in a guest that has a PCI passthrough device could use this flaw to cause a denial of service that could potentially affect the entire system.
(CVE-2013-0231, Moderate)

* A NULL pointer dereference flaw was found in the IP packet transformation framework (XFRM) implementation in the Linux kernel. A local user who has the CAP_NET_ADMIN capability could use this flaw to cause a denial of service. (CVE-2013-1826, Moderate)

* Information leak flaws were found in the XFRM implementation in the Linux kernel. A local user who has the CAP_NET_ADMIN capability could use these flaws to leak kernel stack memory to user-space.
(CVE-2012-6537, Low)

* An information leak flaw was found in the logical link control (LLC) implementation in the Linux kernel. A local, unprivileged user could use this flaw to leak kernel stack memory to user-space.
(CVE-2012-6542, Low)

* Two information leak flaws were found in the Linux kernel's Asynchronous Transfer Mode (ATM) subsystem. A local, unprivileged user could use these flaws to leak kernel stack memory to user-space.
(CVE-2012-6546, Low)

* An information leak flaw was found in the TUN/TAP device driver in the Linux kernel's networking implementation. A local user with access to a TUN/TAP virtual interface could use this flaw to leak kernel stack memory to user-space. (CVE-2012-6547, Low)

Red Hat would like to thank the Xen project for reporting the CVE-2013-0216 and CVE-2013-0231 issues.

This update also fixes the following bugs :

* The IPv4 code did not correctly update the Maximum Transfer Unit (MTU) of the designed interface when receiving ICMP Fragmentation Needed packets. Consequently, a remote host did not respond correctly to ping attempts. With this update, the IPv4 code has been modified so the MTU of the designed interface is adjusted as expected in this situation. The ping command now provides the expected output.
(BZ#923353)

* Previously, the be2net code expected the last word of an MCC completion message from the firmware to be transferred by direct memory access (DMA) at once. However, this is not always true, and could therefore cause the BUG_ON() macro to be triggered in the be_mcc_compl_is_new() function, consequently leading to a kernel panic. The BUG_ON() macro has been removed from be_mcc_compl_is_new(), and the kernel panic no longer occurs in this scenario. (BZ#923910)

* Previously, the NFSv3 server incorrectly converted 64-bit cookies to 32-bit. Consequently, the cookies became invalid, which affected all file system operations depending on these cookies, such as the READDIR operation that is used to read entries from a directory. This led to various problems, such as exported directories being empty or displayed incorrectly, or an endless loop of the READDIRPLUS procedure which could potentially cause a buffer overflow. This update modifies knfsd code so that 64-bit cookies are now handled correctly and all file system operations work as expected. (BZ#924087)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

From Red Hat Security Advisory 2013:0744 :

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Security :

* An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the Intel i915 driver in the Linux kernel handled the allocation of the buffer used for relocation copies. A local user with console access could use this flaw to cause a denial of service or escalate their privileges. (CVE-2013-0913, Important)

* A buffer overflow flaw was found in the way UTF-8 characters were converted to UTF-16 in the utf8s_to_utf16s() function of the Linux kernel's FAT file system implementation. A local user able to mount a FAT file system with the 'utf8=1' option could use this flaw to crash the system or, potentially, to escalate their privileges.
(CVE-2013-1773, Important)

* A flaw was found in the way KVM handled guest time updates when the buffer the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) crossed a page boundary. A privileged guest user could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the host kernel level. (CVE-2013-1796, Important)

* A potential use-after-free flaw was found in the way KVM handled guest time updates when the GPA (guest physical address) the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) fell into a movable or removable memory region of the hosting user-space process (by default, QEMU-KVM) on the host. If that memory region is deregistered from KVM using KVM_SET_USER_MEMORY_REGION and the allocated virtual memory reused, a privileged guest user could potentially use this flaw to escalate their privileges on the host. (CVE-2013-1797, Important)

* A flaw was found in the way KVM emulated IOAPIC (I/O Advanced Programmable Interrupt Controller). A missing validation check in the ioapic_read_indirect() function could allow a privileged guest user to crash the host, or read a substantial portion of host kernel memory.
(CVE-2013-1798, Important)

* A race condition in install_user_keyrings(), leading to a NULL pointer dereference, was found in the key management facility. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2013-1792, Moderate)

* A NULL pointer dereference in the XFRM implementation could allow a local user who has the CAP_NET_ADMIN capability to cause a denial of service. (CVE-2013-1826, Moderate)

* A NULL pointer dereference in the Datagram Congestion Control Protocol (DCCP) implementation could allow a local user to cause a denial of service. (CVE-2013-1827, Moderate)

* Information leak flaws in the XFRM implementation could allow a local user who has the CAP_NET_ADMIN capability to leak kernel stack memory to user-space. (CVE-2012-6537, Low)

* Two information leak flaws in the Asynchronous Transfer Mode (ATM) subsystem could allow a local, unprivileged user to leak kernel stack memory to user-space. (CVE-2012-6546, Low)

* An information leak was found in the TUN/TAP device driver in the networking implementation. A local user with access to a TUN/TAP virtual interface could use this flaw to leak kernel stack memory to user-space. (CVE-2012-6547, Low)

* An information leak in the Bluetooth implementation could allow a local user who has the CAP_NET_ADMIN capability to leak kernel stack memory to user-space. (CVE-2013-0349, Low)

* A use-after-free flaw was found in the tmpfs implementation. A local user able to mount and unmount a tmpfs file system could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2013-1767, Low)

* A NULL pointer dereference was found in the Linux kernel's USB Inside Out Edgeport Serial Driver implementation. An attacker with physical access to a system could use this flaw to cause a denial of service. (CVE-2013-1774, Low)

Red Hat would like to thank Andrew Honig of Google for reporting CVE-2013-1796, CVE-2013-1797, and CVE-2013-1798. CVE-2013-1792 was discovered by Mateusz Guzik of Red Hat EMEA GSS SEG Team.

Mathias Krause discovered an information leak in the Linux kernel's ISO 9660 CDROM file system driver. A local user could exploit this flaw to examine some of the kernel's heap memory. (CVE-2012-6549)

Mathias Krause discovered a flaw in xfrm_user in the Linux kernel. A local attacker with NET_ADMIN capability could potentially exploit this flaw to escalate privileges. (CVE-2013-1826)

A buffer overflow was discovered in the Linux Kernel's USB subsystem for devices reporting the cdc-wdm class. A specially crafted USB device when plugged-in could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2013-1860)

An information leak was discovered in the Linux kernel's /dev/dvb device. A local user could exploit this flaw to obtain sensitive information from the kernel's stack memory. (CVE-2013-1928)

An information leak in the Linux kernel's dcb netlink interface was discovered. A local user could obtain sensitive information by examining kernel stack memory. (CVE-2013-2634).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2012-2121     Benjamin Herrenschmidt and Jason Baron discovered issues     with the IOMMU mapping of memory slots used in KVM     device assignment. Local users with the ability to     assign devices could cause a denial of service due to a     memory page leak.

  - CVE-2012-3552     Hafid Lin reported an issue in the IP networking     subsystem. A remote user can cause a denial of service     (system crash) on servers running applications that set     options on sockets which are actively being processed.

  - CVE-2012-4461     Jon Howell reported a denial of service issue in the KVM     subsystem. On systems that do not support the XSAVE     feature, local users with access to the /dev/kvm     interface can cause a system crash.

  - CVE-2012-4508     Dmitry Monakhov and Theodore Ts'o reported a race     condition in the ext4 filesystem. Local users could gain     access to sensitive kernel memory.

  - CVE-2012-6537     Mathias Krause discovered information leak issues in the     Transformation user configuration interface. Local users     with the CAP_NET_ADMIN capability can gain access to     sensitive kernel memory.

  - CVE-2012-6539     Mathias Krause discovered an issue in the networking     subsystem. Local users on 64-bit systems can gain access     to sensitive kernel memory.

  - CVE-2012-6540     Mathias Krause discovered an issue in the Linux virtual     server subsystem. Local users can gain access to     sensitive kernel memory. Note: this issue does not     affect Debian provided kernels, but may affect custom     kernels built from Debian's linux-source-2.6.32 package.

  - CVE-2012-6542     Mathias Krause discovered an issue in the LLC protocol     support code. Local users can gain access to sensitive     kernel memory.

  - CVE-2012-6544     Mathias Krause discovered issues in the Bluetooth     subsystem. Local users can gain access to sensitive     kernel memory.

  - CVE-2012-6545     Mathias Krause discovered issues in the Bluetooth RFCOMM     protocol support. Local users can gain access to     sensitive kernel memory.

  - CVE-2012-6546     Mathias Krause discovered issues in the ATM networking     support. Local users can gain access to sensitive kernel     memory.

  - CVE-2012-6548     Mathias Krause discovered an issue in the UDF file     system support. Local users can obtain access to     sensitive kernel memory.

  - CVE-2012-6549     Mathias Krause discovered an issue in the isofs file     system support. Local users can obtain access to     sensitive kernel memory.

  - CVE-2013-0349     Anderson Lizardo discovered an issue in the Bluetooth     Human Interface Device Protocol (HIDP) stack. Local     users can obtain access to sensitive kernel memory.

  - CVE-2013-0914     Emese Revfy discovered an issue in the signal     implementation. Local users may be able to bypass the     address space layout randomization (ASLR) facility due     to a leaking of information to child processes.

  - CVE-2013-1767     Greg Thelen reported an issue in the tmpfs virtual     memory filesystem. Local users with sufficient privilege     to mount filesystems can cause a denial of service or     possibly elevated privileges due to a use-after free     defect.

  - CVE-2013-1773     Alan Stern provided a fix for a defect in the     UTF8->UTF16 string conversion facility used by the VFAT     filesystem. A local user could cause a buffer overflow     condition, resulting in a denial of service or     potentially elevated privileges.

  - CVE-2013-1774     Wolfgang Frisch provided a fix for a NULL pointer     dereference defect in the driver for some serial USB     devices from Inside Out Networks. Local users with     permission to access these devices can create a denial     of service (kernel oops) by causing the device to be     removed while it is in use.

  - CVE-2013-1792     Mateusz Guzik of Red Hat EMEA GSS SEG Team discovered a     race condition in the access key retention support in     the kernel. A local user could cause a denial of service     (NULL pointer dereference).

  - CVE-2013-1796     Andrew Honig of Google reported an issue in the KVM     subsystem. A user in a guest operating system could     corrupt kernel memory, resulting in a denial of service.

  - CVE-2013-1798     Andrew Honig of Google reported an issue in the KVM     subsystem. A user in a guest operating system could     cause a denial of service due to a use after-free     defect.

  - CVE-2013-1826     Mathias Krause discovered an issue in the Transformation     (XFRM) user configuration interface of the networking     stack. A user with the CAP_NET_ADMIN capability may be     able to gain elevated privileges.

  - CVE-2013-1860     Oliver Neukum discovered an issue in the USB CDC WCM     Device Management driver. Local users with the ability     to attach devices can cause a denial of service (kernel     crash) or potentially gain elevated privileges.

  - CVE-2013-1928     Kees Cook provided a fix for an information leak in the     VIDEO_SET_SPU_PALETTE ioctl for 32-bit applications     running on a 64-bit kernel. Local users can gain access     to sensitive kernel memory.

  - CVE-2013-1929     Oded Horovitz and Brad Spengler reported an issue in the     device driver for Broadcom Tigon3 based gigabit     Ethernet. Users with the ability to attach untrusted     devices can create an overflow condition, resulting in a     denial of service or elevated privileges.

  - CVE-2013-2015     Theodore Ts'o provided a fix for an issue in the ext4     filesystem. Local users with the ability to mount a     specially crafted filesystem can cause a denial of     service (infinite loop).

  - CVE-2013-2634     Mathias Krause discovered a few issues in the Data     Center Bridging (DCB) netlink interface. Local users can     gain access to sensitive kernel memory.

  - CVE-2013-3222     Mathias Krause discovered an issue in the Asynchronous     Transfer Mode (ATM) protocol support. Local users can     gain access to sensitive kernel memory.

  - CVE-2013-3223     Mathias Krause discovered an issue in the Amateur Radio     AX.25 protocol support. Local users can gain access to     sensitive kernel memory.

  - CVE-2013-3224     Mathias Krause discovered an issue in the Bluetooth     subsystem. Local users can gain access to sensitive     kernel memory.

  - CVE-2013-3225     Mathias Krause discovered an issue in the Bluetooth     RFCOMM protocol support. Local users can gain access to     sensitive kernel memory.

  - CVE-2013-3228     Mathias Krause discovered an issue in the IrDA     (infrared) subsystem support. Local users can gain     access to sensitive kernel memory.

  - CVE-2013-3229     Mathias Krause discovered an issue in the IUCV support     on s390 systems. Local users can gain access to     sensitive kernel memory.

  - CVE-2013-3231     Mathias Krause discovered an issue in the ANSI/IEEE     802.2 LLC type 2 protocol support. Local users can gain     access to sensitive kernel memory.

  - CVE-2013-3234     Mathias Krause discovered an issue in the Amateur Radio     X.25 PLP (Rose) protocol support. Local users can gain     access to sensitive kernel memory.

  - CVE-2013-3235     Mathias Krause discovered an issue in the Transparent     Inter Process Communication (TIPC) protocol support.
    Local users can gain access to sensitive kernel memory.

* An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the Intel i915 driver in the Linux kernel handled the allocation of the buffer used for relocation copies. A local user with console access could use this flaw to cause a denial of service or escalate their privileges. (CVE-2013-0913, Important)

* A buffer overflow flaw was found in the way UTF-8 characters were converted to UTF-16 in the utf8s_to_utf16s() function of the Linux kernel's FAT file system implementation. A local user able to mount a FAT file system with the 'utf8=1' option could use this flaw to crash the system or, potentially, to escalate their privileges.
(CVE-2013-1773, Important)

* A flaw was found in the way KVM handled guest time updates when the buffer the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) crossed a page boundary. A privileged guest user could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the host kernel level. (CVE-2013-1796, Important)

* A potential use-after-free flaw was found in the way KVM handled guest time updates when the GPA (guest physical address) the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) fell into a movable or removable memory region of the hosting user-space process (by default, QEMU-KVM) on the host. If that memory region is deregistered from KVM using KVM_SET_USER_MEMORY_REGION and the allocated virtual memory reused, a privileged guest user could potentially use this flaw to escalate their privileges on the host. (CVE-2013-1797, Important)

* A flaw was found in the way KVM emulated IOAPIC (I/O Advanced Programmable Interrupt Controller). A missing validation check in the ioapic_read_indirect() function could allow a privileged guest user to crash the host, or read a substantial portion of host kernel memory.
(CVE-2013-1798, Important)

* A race condition in install_user_keyrings(), leading to a NULL pointer dereference, was found in the key management facility. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2013-1792, Moderate)

* A NULL pointer dereference in the XFRM implementation could allow a local user who has the CAP_NET_ADMIN capability to cause a denial of service. (CVE-2013-1826, Moderate)

* A NULL pointer dereference in the Datagram Congestion Control Protocol (DCCP) implementation could allow a local user to cause a denial of service. (CVE-2013-1827, Moderate)

* Information leak flaws in the XFRM implementation could allow a local user who has the CAP_NET_ADMIN capability to leak kernel stack memory to user-space. (CVE-2012-6537, Low)

* Two information leak flaws in the Asynchronous Transfer Mode (ATM) subsystem could allow a local, unprivileged user to leak kernel stack memory to user-space. (CVE-2012-6546, Low)

* An information leak was found in the TUN/TAP device driver in the networking implementation. A local user with access to a TUN/TAP virtual interface could use this flaw to leak kernel stack memory to user-space. (CVE-2012-6547, Low)

* An information leak in the Bluetooth implementation could allow a local user who has the CAP_NET_ADMIN capability to leak kernel stack memory to user-space. (CVE-2013-0349, Low)

* A use-after-free flaw was found in the tmpfs implementation. A local user able to mount and unmount a tmpfs file system could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2013-1767, Low)

* A NULL pointer dereference was found in the Linux kernel's USB Inside Out Edgeport Serial Driver implementation. An attacker with physical access to a system could use this flaw to cause a denial of service. (CVE-2013-1774, Low)

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Security :

* An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the Intel i915 driver in the Linux kernel handled the allocation of the buffer used for relocation copies. A local user with console access could use this flaw to cause a denial of service or escalate their privileges. (CVE-2013-0913, Important)

* A buffer overflow flaw was found in the way UTF-8 characters were converted to UTF-16 in the utf8s_to_utf16s() function of the Linux kernel's FAT file system implementation. A local user able to mount a FAT file system with the 'utf8=1' option could use this flaw to crash the system or, potentially, to escalate their privileges.
(CVE-2013-1773, Important)

* A flaw was found in the way KVM handled guest time updates when the buffer the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) crossed a page boundary. A privileged guest user could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the host kernel level. (CVE-2013-1796, Important)

* A potential use-after-free flaw was found in the way KVM handled guest time updates when the GPA (guest physical address) the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) fell into a movable or removable memory region of the hosting user-space process (by default, QEMU-KVM) on the host. If that memory region is deregistered from KVM using KVM_SET_USER_MEMORY_REGION and the allocated virtual memory reused, a privileged guest user could potentially use this flaw to escalate their privileges on the host. (CVE-2013-1797, Important)

* A flaw was found in the way KVM emulated IOAPIC (I/O Advanced Programmable Interrupt Controller). A missing validation check in the ioapic_read_indirect() function could allow a privileged guest user to crash the host, or read a substantial portion of host kernel memory.
(CVE-2013-1798, Important)

* A race condition in install_user_keyrings(), leading to a NULL pointer dereference, was found in the key management facility. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2013-1792, Moderate)

* A NULL pointer dereference in the XFRM implementation could allow a local user who has the CAP_NET_ADMIN capability to cause a denial of service. (CVE-2013-1826, Moderate)

* A NULL pointer dereference in the Datagram Congestion Control Protocol (DCCP) implementation could allow a local user to cause a denial of service. (CVE-2013-1827, Moderate)

* Information leak flaws in the XFRM implementation could allow a local user who has the CAP_NET_ADMIN capability to leak kernel stack memory to user-space. (CVE-2012-6537, Low)

* Two information leak flaws in the Asynchronous Transfer Mode (ATM) subsystem could allow a local, unprivileged user to leak kernel stack memory to user-space. (CVE-2012-6546, Low)

* An information leak was found in the TUN/TAP device driver in the networking implementation. A local user with access to a TUN/TAP virtual interface could use this flaw to leak kernel stack memory to user-space. (CVE-2012-6547, Low)

* An information leak in the Bluetooth implementation could allow a local user who has the CAP_NET_ADMIN capability to leak kernel stack memory to user-space. (CVE-2013-0349, Low)

* A use-after-free flaw was found in the tmpfs implementation. A local user able to mount and unmount a tmpfs file system could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2013-1767, Low)

* A NULL pointer dereference was found in the Linux kernel's USB Inside Out Edgeport Serial Driver implementation. An attacker with physical access to a system could use this flaw to cause a denial of service. (CVE-2013-1774, Low)

Red Hat would like to thank Andrew Honig of Google for reporting CVE-2013-1796, CVE-2013-1797, and CVE-2013-1798. CVE-2013-1792 was discovered by Mateusz Guzik of Red Hat EMEA GSS SEG Team.

This update fixes the following security issues :

  - A flaw was found in the Xen netback driver     implementation in the Linux kernel. A privileged guest     user with access to a para-virtualized network device     could use this flaw to cause a long loop in netback,     leading to a denial of service that could potentially     affect the entire system. (CVE-2013-0216, Moderate)

  - A flaw was found in the Xen PCI device back-end driver     implementation in the Linux kernel. A privileged guest     user in a guest that has a PCI passthrough device could     use this flaw to cause a denial of service that could     potentially affect the entire system. (CVE-2013-0231,     Moderate)

  - A NULL pointer dereference flaw was found in the IP     packet transformation framework (XFRM) implementation in     the Linux kernel. A local user who has the CAP_NET_ADMIN     capability could use this flaw to cause a denial of     service. (CVE-2013-1826, Moderate)

  - Information leak flaws were found in the XFRM     implementation in the Linux kernel. A local user who has     the CAP_NET_ADMIN capability could use these flaws to     leak kernel stack memory to user-space. (CVE-2012-6537,     Low)

  - An information leak flaw was found in the logical link     control (LLC) implementation in the Linux kernel. A     local, unprivileged user could use this flaw to leak     kernel stack memory to user-space. (CVE-2012-6542, Low)

  - Two information leak flaws were found in the Linux     kernel's Asynchronous Transfer Mode (ATM) subsystem. A     local, unprivileged user could use these flaws to leak     kernel stack memory to user-space. (CVE-2012-6546, Low)

  - An information leak flaw was found in the TUN/TAP device     driver in the Linux kernel's networking implementation.
    A local user with access to a TUN/TAP virtual interface     could use this flaw to leak kernel stack memory to     user-space. (CVE-2012-6547, Low)

This update also fixes the following bugs :

  - The IPv4 code did not correctly update the Maximum     Transfer Unit (MTU) of the designed interface when     receiving ICMP Fragmentation Needed packets.
    Consequently, a remote host did not respond correctly to     ping attempts. With this update, the IPv4 code has been     modified so the MTU of the designed interface is     adjusted as expected in this situation. The ping command     now provides the expected output.

  - Previously, the be2net code expected the last word of an     MCC completion message from the firmware to be     transferred by direct memory access (DMA) at once.
    However, this is not always true, and could therefore     cause the BUG_ON() macro to be triggered in the     be_mcc_compl_is_new() function, consequently leading to     a kernel panic. The BUG_ON() macro has been removed from     be_mcc_compl_is_new(), and the kernel panic no longer     occurs in this scenario.

  - Previously, the NFSv3 server incorrectly converted     64-bit cookies to 32-bit. Consequently, the cookies     became invalid, which affected all file system     operations depending on these cookies, such as the     READDIR operation that is used to read entries from a     directory. This led to various problems, such as     exported directories being empty or displayed     incorrectly, or an endless loop of the READDIRPLUS     procedure which could potentially cause a buffer     overflow. This update modifies knfsd code so that 64-bit     cookies are now handled correctly and all file system     operations work as expected.

The system must be rebooted for this update to take effect.

Updated kernel packages that fix several security issues and three bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A flaw was found in the Xen netback driver implementation in the Linux kernel. A privileged guest user with access to a para-virtualized network device could use this flaw to cause a long loop in netback, leading to a denial of service that could potentially affect the entire system. (CVE-2013-0216, Moderate)

* A flaw was found in the Xen PCI device back-end driver implementation in the Linux kernel. A privileged guest user in a guest that has a PCI passthrough device could use this flaw to cause a denial of service that could potentially affect the entire system.
(CVE-2013-0231, Moderate)

* A NULL pointer dereference flaw was found in the IP packet transformation framework (XFRM) implementation in the Linux kernel. A local user who has the CAP_NET_ADMIN capability could use this flaw to cause a denial of service. (CVE-2013-1826, Moderate)

* Information leak flaws were found in the XFRM implementation in the Linux kernel. A local user who has the CAP_NET_ADMIN capability could use these flaws to leak kernel stack memory to user-space.
(CVE-2012-6537, Low)

* An information leak flaw was found in the logical link control (LLC) implementation in the Linux kernel. A local, unprivileged user could use this flaw to leak kernel stack memory to user-space.
(CVE-2012-6542, Low)

* Two information leak flaws were found in the Linux kernel's Asynchronous Transfer Mode (ATM) subsystem. A local, unprivileged user could use these flaws to leak kernel stack memory to user-space.
(CVE-2012-6546, Low)

* An information leak flaw was found in the TUN/TAP device driver in the Linux kernel's networking implementation. A local user with access to a TUN/TAP virtual interface could use this flaw to leak kernel stack memory to user-space. (CVE-2012-6547, Low)

Red Hat would like to thank the Xen project for reporting the CVE-2013-0216 and CVE-2013-0231 issues.

This update also fixes the following bugs :

* The IPv4 code did not correctly update the Maximum Transfer Unit (MTU) of the designed interface when receiving ICMP Fragmentation Needed packets. Consequently, a remote host did not respond correctly to ping attempts. With this update, the IPv4 code has been modified so the MTU of the designed interface is adjusted as expected in this situation. The ping command now provides the expected output.
(BZ#923353)

* Previously, the be2net code expected the last word of an MCC completion message from the firmware to be transferred by direct memory access (DMA) at once. However, this is not always true, and could therefore cause the BUG_ON() macro to be triggered in the be_mcc_compl_is_new() function, consequently leading to a kernel panic. The BUG_ON() macro has been removed from be_mcc_compl_is_new(), and the kernel panic no longer occurs in this scenario. (BZ#923910)

* Previously, the NFSv3 server incorrectly converted 64-bit cookies to 32-bit. Consequently, the cookies became invalid, which affected all file system operations depending on these cookies, such as the READDIR operation that is used to read entries from a directory. This led to various problems, such as exported directories being empty or displayed incorrectly, or an endless loop of the READDIRPLUS procedure which could potentially cause a buffer overflow. This update modifies knfsd code so that 64-bit cookies are now handled correctly and all file system operations work as expected. (BZ#924087)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2013-0747.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2013-0744.

ID	Name	Product	Family	Severity
68856	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2013-2534)	Nessus	Oracle Linux Local Security Checks	medium
68852	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2013-2520)	Nessus	Oracle Linux Local Security Checks	medium
68809	Oracle Linux 5 : kernel (ELSA-2013-0747)	Nessus	Oracle Linux Local Security Checks	medium
68808	Oracle Linux 5 : kernel (ELSA-2013-0747-1)	Nessus	Oracle Linux Local Security Checks	medium
68807	Oracle Linux 6 : kernel (ELSA-2013-0744)	Nessus	Oracle Linux Local Security Checks	high
66494	Ubuntu 10.04 LTS : linux-ec2 vulnerabilities (USN-1829-1)	Nessus	Ubuntu Local Security Checks	medium
66467	Ubuntu 10.04 LTS : linux vulnerabilities (USN-1824-1)	Nessus	Ubuntu Local Security Checks	medium
66431	Debian DSA-2668-1 : linux-2.6 - privilege escalation/denial of service/information leak	Nessus	Debian Local Security Checks	medium
66214	Scientific Linux Security Update : kernel on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
66204	CentOS 6 : kernel (CESA-2013:0744)	Nessus	CentOS Local Security Checks	high
66192	RHEL 6 : kernel (RHSA-2013:0744)	Nessus	Red Hat Local Security Checks	high
66016	Scientific Linux Security Update : kernel on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
65991	RHEL 5 : kernel (RHSA-2013:0747)	Nessus	Red Hat Local Security Checks	medium
65988	CentOS 5 : kernel (CESA-2013:0747)	Nessus	CentOS Local Security Checks	medium
801541	CentOS RHSA-2013-0747 Security Check	Log Correlation Engine	Generic	high
801540	CentOS RHSA-2013-0744 Security Check	Log Correlation Engine	Generic	high

CVE-2013-1826

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins