http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=864745d291b5ba80ea0bd0edcbe67273de368836

RHSA-2013:0744

http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.5.7

[oss-security] 20130307 Re: CVE Requests (maybe): Linux kernel: various info leaks, some NULL ptr derefs

USN-1829-1

https://bugzilla.redhat.com/show_bug.cgi?id=919384

https://github.com/torvalds/linux/commit/864745d291b5ba80ea0bd0edcbe67273de368836

The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2013-2534 advisory.

  - block/scsi_ioctl.c in the Linux kernel through 3.8 does not properly consider the SCSI device class during     authorization of SCSI commands, which allows local users to bypass intended access restrictions via an     SG_IO ioctl call that leverages overlapping opcodes. (CVE-2012-4542)

  - The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel before 3.6 has an incorrect return     value in certain circumstances, which allows local users to obtain sensitive information from kernel stack     memory via a crafted application that leverages an uninitialized pointer argument. (CVE-2012-6542)

  - The KVM subsystem in the Linux kernel before 3.0 does not check whether kernel addresses are specified     during allocation of memory slots for use in a guest's physical address space, which allows local users to     gain privileges or obtain sensitive information from kernel memory via a crafted application, related to     arch/x86/kvm/paging_tmpl.h and virt/kvm/kvm_main.c. (CVE-2013-1943)

  - Heap-based buffer overflow in the tg3_read_vpd function in drivers/net/ethernet/broadcom/tg3.c in the     Linux kernel before 3.8.6 allows physically proximate attackers to cause a denial of service (system     crash) or possibly execute arbitrary code via crafted firmware that specifies a long string in the Vital     Product Data (VPD) data structure. (CVE-2013-1929)

  - Heap-based buffer overflow in the wdm_in_callback function in drivers/usb/class/cdc-wdm.c in the Linux     kernel before 3.8.4 allows physically proximate attackers to cause a denial of service (system crash) or     possibly execute arbitrary code via a crafted cdc-wdm USB device. (CVE-2013-1860)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2013-2520 advisory.

  - Race condition in fs/ext4/extents.c in the Linux kernel before 3.4.16 allows local users to obtain     sensitive information from a deleted file by reading an extent that was not properly marked as     uninitialized. (CVE-2012-4508)

  - The online_pages function in mm/memory_hotplug.c in the Linux kernel before 3.6 allows local users to     cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other     impact in opportunistic circumstances by using memory that was hot-added by an administrator.
    (CVE-2012-5517)

  - arch/x86/include/asm/pgtable.h in the Linux kernel before 3.6.2, when transparent huge pages are used,     does not properly support PROT_NONE memory regions, which allows local users to cause a denial of service     (system crash) via a crafted application. (CVE-2013-0309)

  - The cipso_v4_validate function in net/ipv4/cipso_ipv4.c in the Linux kernel before 3.4.8 allows local     users to cause a denial of service (NULL pointer dereference and system crash) or possibly have     unspecified other impact via an IPOPT_CIPSO IP_OPTIONS setsockopt system call. (CVE-2013-0310)

  - Race condition in the ptrace functionality in the Linux kernel before 3.7.5 allows local users to gain     privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by     ptrace_death. (CVE-2013-0871)

  - The kvm_set_msr_common function in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 does not ensure a     required time_page alignment during an MSR_KVM_SYSTEM_TIME operation, which allows guest OS users to cause     a denial of service (buffer overflow and host OS memory corruption) or possibly have unspecified other     impact via a crafted application. (CVE-2013-1796)

  - The ioapic_read_indirect function in virt/kvm/ioapic.c in the Linux kernel through 3.8.4 does not properly     handle a certain combination of invalid IOAPIC_REG_SELECT and IOAPIC_REG_WINDOW operations, which allows     guest OS users to obtain sensitive information from host OS memory or cause a denial of service (host OS     OOPS) via a crafted application. (CVE-2013-1798)

  - net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not initialize certain structures, which allows     local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability.
    (CVE-2012-6537)

  - The ATM implementation in the Linux kernel before 3.6 does not initialize certain structures, which allows     local users to obtain sensitive information from kernel stack memory via a crafted application.
    (CVE-2012-6546)

  - The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel before 3.6 does not initialize a     certain structure, which allows local users to obtain sensitive information from kernel stack memory via a     crafted application. (CVE-2012-6547)

  - The xfrm_state_netlink function in net/xfrm/xfrm_user.c in the Linux kernel before 3.5.7 does not properly     handle error conditions in dump_one_state function calls, which allows local users to gain privileges or     cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN     capability. (CVE-2013-1826)

  - The hidp_setup_hid function in net/bluetooth/hidp/core.c in the Linux kernel before 3.7.6 does not     properly copy a certain name field, which allows local users to obtain sensitive information from kernel     memory by setting a long name and making an HIDPCONNADD ioctl call. (CVE-2013-0349)

  - The chase_port function in drivers/usb/serial/io_ti.c in the Linux kernel before 3.7.4 allows local users     to cause a denial of service (NULL pointer dereference and system crash) via an attempted /dev/ttyUSB read     or write operation on a disconnected Edgeport USB serial converter. (CVE-2013-1774)

  - Race condition in the install_user_keyrings function in security/keys/process_keys.c in the Linux kernel     before 3.8.3 allows local users to cause a denial of service (NULL pointer dereference and system crash)     via crafted keyctl system calls that trigger keyring operations in simultaneous threads. (CVE-2013-1792)

  - net/dccp/ccid.h in the Linux kernel before 3.5.4 allows local users to gain privileges or cause a denial     of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a     certain (1) sender or (2) receiver getsockopt call. (CVE-2013-1827)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

From Red Hat Security Advisory 2013:0747 :

Updated kernel packages that fix several security issues and three bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A flaw was found in the Xen netback driver implementation in the Linux kernel. A privileged guest user with access to a para-virtualized network device could use this flaw to cause a long loop in netback, leading to a denial of service that could potentially affect the entire system. (CVE-2013-0216, Moderate)

* A flaw was found in the Xen PCI device back-end driver implementation in the Linux kernel. A privileged guest user in a guest that has a PCI passthrough device could use this flaw to cause a denial of service that could potentially affect the entire system.
(CVE-2013-0231, Moderate)

* A NULL pointer dereference flaw was found in the IP packet transformation framework (XFRM) implementation in the Linux kernel. A local user who has the CAP_NET_ADMIN capability could use this flaw to cause a denial of service. (CVE-2013-1826, Moderate)

* Information leak flaws were found in the XFRM implementation in the Linux kernel. A local user who has the CAP_NET_ADMIN capability could use these flaws to leak kernel stack memory to user-space.
(CVE-2012-6537, Low)

* An information leak flaw was found in the logical link control (LLC) implementation in the Linux kernel. A local, unprivileged user could use this flaw to leak kernel stack memory to user-space.
(CVE-2012-6542, Low)

* Two information leak flaws were found in the Linux kernel's Asynchronous Transfer Mode (ATM) subsystem. A local, unprivileged user could use these flaws to leak kernel stack memory to user-space.
(CVE-2012-6546, Low)

* An information leak flaw was found in the TUN/TAP device driver in the Linux kernel's networking implementation. A local user with access to a TUN/TAP virtual interface could use this flaw to leak kernel stack memory to user-space. (CVE-2012-6547, Low)

Red Hat would like to thank the Xen project for reporting the CVE-2013-0216 and CVE-2013-0231 issues.

This update also fixes the following bugs :

* The IPv4 code did not correctly update the Maximum Transfer Unit (MTU) of the designed interface when receiving ICMP Fragmentation Needed packets. Consequently, a remote host did not respond correctly to ping attempts. With this update, the IPv4 code has been modified so the MTU of the designed interface is adjusted as expected in this situation. The ping command now provides the expected output.
(BZ#923353)

* Previously, the be2net code expected the last word of an MCC completion message from the firmware to be transferred by direct memory access (DMA) at once. However, this is not always true, and could therefore cause the BUG_ON() macro to be triggered in the be_mcc_compl_is_new() function, consequently leading to a kernel panic. The BUG_ON() macro has been removed from be_mcc_compl_is_new(), and the kernel panic no longer occurs in this scenario. (BZ#923910)

* Previously, the NFSv3 server incorrectly converted 64-bit cookies to 32-bit. Consequently, the cookies became invalid, which affected all file system operations depending on these cookies, such as the READDIR operation that is used to read entries from a directory. This led to various problems, such as exported directories being empty or displayed incorrectly, or an endless loop of the READDIRPLUS procedure which could potentially cause a buffer overflow. This update modifies knfsd code so that 64-bit cookies are now handled correctly and all file system operations work as expected. (BZ#924087)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2013-0744 advisory.

  - The kvm_set_msr_common function in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 does not ensure a     required time_page alignment during an MSR_KVM_SYSTEM_TIME operation, which allows guest OS users to cause     a denial of service (buffer overflow and host OS memory corruption) or possibly have unspecified other     impact via a crafted application. (CVE-2013-1796)

  - Use-after-free vulnerability in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 allows guest OS users     to cause a denial of service (host OS memory corruption) or possibly have unspecified other impact via a     crafted application that triggers use of a guest physical address (GPA) in (1) movable or (2) removable     memory during an MSR_KVM_SYSTEM_TIME kvm_set_msr_common operation. (CVE-2013-1797)

  - The ioapic_read_indirect function in virt/kvm/ioapic.c in the Linux kernel through 3.8.4 does not properly     handle a certain combination of invalid IOAPIC_REG_SELECT and IOAPIC_REG_WINDOW operations, which allows     guest OS users to obtain sensitive information from host OS memory or cause a denial of service (host OS     OOPS) via a crafted application. (CVE-2013-1798)

  - Integer overflow in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the i915 driver in the Direct Rendering     Manager (DRM) subsystem in the Linux kernel through 3.8.3, as used in Google Chrome OS before     25.0.1364.173 and other products, allows local users to cause a denial of service (heap-based buffer     overflow) or possibly have unspecified other impact via a crafted application that triggers many     relocation copies, and potentially leads to a race condition. (CVE-2013-0913)

  - Buffer overflow in the VFAT filesystem implementation in the Linux kernel before 3.3 allows local users to     gain privileges or cause a denial of service (system crash) via a VFAT write operation on a filesystem     with the utf8 mount option, which is not properly handled during UTF-8 to UTF-16 conversion.
    (CVE-2013-1773)

  - net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not initialize certain structures, which allows     local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability.
    (CVE-2012-6537)

  - The ATM implementation in the Linux kernel before 3.6 does not initialize certain structures, which allows     local users to obtain sensitive information from kernel stack memory via a crafted application.
    (CVE-2012-6546)

  - The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel before 3.6 does not initialize a     certain structure, which allows local users to obtain sensitive information from kernel stack memory via a     crafted application. (CVE-2012-6547)

  - The xfrm_state_netlink function in net/xfrm/xfrm_user.c in the Linux kernel before 3.5.7 does not properly     handle error conditions in dump_one_state function calls, which allows local users to gain privileges or     cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN     capability. (CVE-2013-1826)

  - The hidp_setup_hid function in net/bluetooth/hidp/core.c in the Linux kernel before 3.7.6 does not     properly copy a certain name field, which allows local users to obtain sensitive information from kernel     memory by setting a long name and making an HIDPCONNADD ioctl call. (CVE-2013-0349)

  - Use-after-free vulnerability in the shmem_remount_fs function in mm/shmem.c in the Linux kernel before     3.7.10 allows local users to gain privileges or cause a denial of service (system crash) by remounting a     tmpfs filesystem without specifying a required mpol (aka mempolicy) mount option. (CVE-2013-1767)

  - The chase_port function in drivers/usb/serial/io_ti.c in the Linux kernel before 3.7.4 allows local users     to cause a denial of service (NULL pointer dereference and system crash) via an attempted /dev/ttyUSB read     or write operation on a disconnected Edgeport USB serial converter. (CVE-2013-1774)

  - Race condition in the install_user_keyrings function in security/keys/process_keys.c in the Linux kernel     before 3.8.3 allows local users to cause a denial of service (NULL pointer dereference and system crash)     via crafted keyctl system calls that trigger keyring operations in simultaneous threads. (CVE-2013-1792)

  - net/dccp/ccid.h in the Linux kernel before 3.5.4 allows local users to gain privileges or cause a denial     of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a     certain (1) sender or (2) receiver getsockopt call. (CVE-2013-1827)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Mathias Krause discovered an information leak in the Linux kernel's ISO 9660 CDROM file system driver. A local user could exploit this flaw to examine some of the kernel's heap memory. (CVE-2012-6549)

Mathias Krause discovered a flaw in xfrm_user in the Linux kernel. A local attacker with NET_ADMIN capability could potentially exploit this flaw to escalate privileges. (CVE-2013-1826)

A buffer overflow was discovered in the Linux Kernel's USB subsystem for devices reporting the cdc-wdm class. A specially crafted USB device when plugged-in could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2013-1860)

An information leak was discovered in the Linux kernel's /dev/dvb device. A local user could exploit this flaw to obtain sensitive information from the kernel's stack memory. (CVE-2013-1928)

An information leak in the Linux kernel's dcb netlink interface was discovered. A local user could obtain sensitive information by examining kernel stack memory. (CVE-2013-2634).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2012-2121     Benjamin Herrenschmidt and Jason Baron discovered issues     with the IOMMU mapping of memory slots used in KVM     device assignment. Local users with the ability to     assign devices could cause a denial of service due to a     memory page leak.

  - CVE-2012-3552     Hafid Lin reported an issue in the IP networking     subsystem. A remote user can cause a denial of service     (system crash) on servers running applications that set     options on sockets which are actively being processed.

  - CVE-2012-4461     Jon Howell reported a denial of service issue in the KVM     subsystem. On systems that do not support the XSAVE     feature, local users with access to the /dev/kvm     interface can cause a system crash.

  - CVE-2012-4508     Dmitry Monakhov and Theodore Ts'o reported a race     condition in the ext4 filesystem. Local users could gain     access to sensitive kernel memory.

  - CVE-2012-6537     Mathias Krause discovered information leak issues in the     Transformation user configuration interface. Local users     with the CAP_NET_ADMIN capability can gain access to     sensitive kernel memory.

  - CVE-2012-6539     Mathias Krause discovered an issue in the networking     subsystem. Local users on 64-bit systems can gain access     to sensitive kernel memory.

  - CVE-2012-6540     Mathias Krause discovered an issue in the Linux virtual     server subsystem. Local users can gain access to     sensitive kernel memory. Note: this issue does not     affect Debian provided kernels, but may affect custom     kernels built from Debian's linux-source-2.6.32 package.

  - CVE-2012-6542     Mathias Krause discovered an issue in the LLC protocol     support code. Local users can gain access to sensitive     kernel memory.

  - CVE-2012-6544     Mathias Krause discovered issues in the Bluetooth     subsystem. Local users can gain access to sensitive     kernel memory.

  - CVE-2012-6545     Mathias Krause discovered issues in the Bluetooth RFCOMM     protocol support. Local users can gain access to     sensitive kernel memory.

  - CVE-2012-6546     Mathias Krause discovered issues in the ATM networking     support. Local users can gain access to sensitive kernel     memory.

  - CVE-2012-6548     Mathias Krause discovered an issue in the UDF file     system support. Local users can obtain access to     sensitive kernel memory.

  - CVE-2012-6549     Mathias Krause discovered an issue in the isofs file     system support. Local users can obtain access to     sensitive kernel memory.

  - CVE-2013-0349     Anderson Lizardo discovered an issue in the Bluetooth     Human Interface Device Protocol (HIDP) stack. Local     users can obtain access to sensitive kernel memory.

  - CVE-2013-0914     Emese Revfy discovered an issue in the signal     implementation. Local users may be able to bypass the     address space layout randomization (ASLR) facility due     to a leaking of information to child processes.

  - CVE-2013-1767     Greg Thelen reported an issue in the tmpfs virtual     memory filesystem. Local users with sufficient privilege     to mount filesystems can cause a denial of service or     possibly elevated privileges due to a use-after free     defect.

  - CVE-2013-1773     Alan Stern provided a fix for a defect in the     UTF8->UTF16 string conversion facility used by the VFAT     filesystem. A local user could cause a buffer overflow     condition, resulting in a denial of service or     potentially elevated privileges.

  - CVE-2013-1774     Wolfgang Frisch provided a fix for a NULL pointer     dereference defect in the driver for some serial USB     devices from Inside Out Networks. Local users with     permission to access these devices can create a denial     of service (kernel oops) by causing the device to be     removed while it is in use.

  - CVE-2013-1792     Mateusz Guzik of Red Hat EMEA GSS SEG Team discovered a     race condition in the access key retention support in     the kernel. A local user could cause a denial of service     (NULL pointer dereference).

  - CVE-2013-1796     Andrew Honig of Google reported an issue in the KVM     subsystem. A user in a guest operating system could     corrupt kernel memory, resulting in a denial of service.

  - CVE-2013-1798     Andrew Honig of Google reported an issue in the KVM     subsystem. A user in a guest operating system could     cause a denial of service due to a use after-free     defect.

  - CVE-2013-1826     Mathias Krause discovered an issue in the Transformation     (XFRM) user configuration interface of the networking     stack. A user with the CAP_NET_ADMIN capability may be     able to gain elevated privileges.

  - CVE-2013-1860     Oliver Neukum discovered an issue in the USB CDC WCM     Device Management driver. Local users with the ability     to attach devices can cause a denial of service (kernel     crash) or potentially gain elevated privileges.

  - CVE-2013-1928     Kees Cook provided a fix for an information leak in the     VIDEO_SET_SPU_PALETTE ioctl for 32-bit applications     running on a 64-bit kernel. Local users can gain access     to sensitive kernel memory.

  - CVE-2013-1929     Oded Horovitz and Brad Spengler reported an issue in the     device driver for Broadcom Tigon3 based gigabit     Ethernet. Users with the ability to attach untrusted     devices can create an overflow condition, resulting in a     denial of service or elevated privileges.

  - CVE-2013-2015     Theodore Ts'o provided a fix for an issue in the ext4     filesystem. Local users with the ability to mount a     specially crafted filesystem can cause a denial of     service (infinite loop).

  - CVE-2013-2634     Mathias Krause discovered a few issues in the Data     Center Bridging (DCB) netlink interface. Local users can     gain access to sensitive kernel memory.

  - CVE-2013-3222     Mathias Krause discovered an issue in the Asynchronous     Transfer Mode (ATM) protocol support. Local users can     gain access to sensitive kernel memory.

  - CVE-2013-3223     Mathias Krause discovered an issue in the Amateur Radio     AX.25 protocol support. Local users can gain access to     sensitive kernel memory.

  - CVE-2013-3224     Mathias Krause discovered an issue in the Bluetooth     subsystem. Local users can gain access to sensitive     kernel memory.

  - CVE-2013-3225     Mathias Krause discovered an issue in the Bluetooth     RFCOMM protocol support. Local users can gain access to     sensitive kernel memory.

  - CVE-2013-3228     Mathias Krause discovered an issue in the IrDA     (infrared) subsystem support. Local users can gain     access to sensitive kernel memory.

  - CVE-2013-3229     Mathias Krause discovered an issue in the IUCV support     on s390 systems. Local users can gain access to     sensitive kernel memory.

  - CVE-2013-3231     Mathias Krause discovered an issue in the ANSI/IEEE     802.2 LLC type 2 protocol support. Local users can gain     access to sensitive kernel memory.

  - CVE-2013-3234     Mathias Krause discovered an issue in the Amateur Radio     X.25 PLP (Rose) protocol support. Local users can gain     access to sensitive kernel memory.

  - CVE-2013-3235     Mathias Krause discovered an issue in the Transparent     Inter Process Communication (TIPC) protocol support.
    Local users can gain access to sensitive kernel memory.

* An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the Intel i915 driver in the Linux kernel handled the allocation of the buffer used for relocation copies. A local user with console access could use this flaw to cause a denial of service or escalate their privileges. (CVE-2013-0913, Important)

* A buffer overflow flaw was found in the way UTF-8 characters were converted to UTF-16 in the utf8s_to_utf16s() function of the Linux kernel's FAT file system implementation. A local user able to mount a FAT file system with the 'utf8=1' option could use this flaw to crash the system or, potentially, to escalate their privileges.
(CVE-2013-1773, Important)

* A flaw was found in the way KVM handled guest time updates when the buffer the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) crossed a page boundary. A privileged guest user could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the host kernel level. (CVE-2013-1796, Important)

* A potential use-after-free flaw was found in the way KVM handled guest time updates when the GPA (guest physical address) the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) fell into a movable or removable memory region of the hosting user-space process (by default, QEMU-KVM) on the host. If that memory region is deregistered from KVM using KVM_SET_USER_MEMORY_REGION and the allocated virtual memory reused, a privileged guest user could potentially use this flaw to escalate their privileges on the host. (CVE-2013-1797, Important)

* A flaw was found in the way KVM emulated IOAPIC (I/O Advanced Programmable Interrupt Controller). A missing validation check in the ioapic_read_indirect() function could allow a privileged guest user to crash the host, or read a substantial portion of host kernel memory.
(CVE-2013-1798, Important)

* A race condition in install_user_keyrings(), leading to a NULL pointer dereference, was found in the key management facility. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2013-1792, Moderate)

* A NULL pointer dereference in the XFRM implementation could allow a local user who has the CAP_NET_ADMIN capability to cause a denial of service. (CVE-2013-1826, Moderate)

* A NULL pointer dereference in the Datagram Congestion Control Protocol (DCCP) implementation could allow a local user to cause a denial of service. (CVE-2013-1827, Moderate)

* Information leak flaws in the XFRM implementation could allow a local user who has the CAP_NET_ADMIN capability to leak kernel stack memory to user-space. (CVE-2012-6537, Low)

* Two information leak flaws in the Asynchronous Transfer Mode (ATM) subsystem could allow a local, unprivileged user to leak kernel stack memory to user-space. (CVE-2012-6546, Low)

* An information leak was found in the TUN/TAP device driver in the networking implementation. A local user with access to a TUN/TAP virtual interface could use this flaw to leak kernel stack memory to user-space. (CVE-2012-6547, Low)

* An information leak in the Bluetooth implementation could allow a local user who has the CAP_NET_ADMIN capability to leak kernel stack memory to user-space. (CVE-2013-0349, Low)

* A use-after-free flaw was found in the tmpfs implementation. A local user able to mount and unmount a tmpfs file system could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2013-1767, Low)

* A NULL pointer dereference was found in the Linux kernel's USB Inside Out Edgeport Serial Driver implementation. An attacker with physical access to a system could use this flaw to cause a denial of service. (CVE-2013-1774, Low)

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Security :

* An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the Intel i915 driver in the Linux kernel handled the allocation of the buffer used for relocation copies. A local user with console access could use this flaw to cause a denial of service or escalate their privileges. (CVE-2013-0913, Important)

* A buffer overflow flaw was found in the way UTF-8 characters were converted to UTF-16 in the utf8s_to_utf16s() function of the Linux kernel's FAT file system implementation. A local user able to mount a FAT file system with the 'utf8=1' option could use this flaw to crash the system or, potentially, to escalate their privileges.
(CVE-2013-1773, Important)

* A flaw was found in the way KVM handled guest time updates when the buffer the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) crossed a page boundary. A privileged guest user could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the host kernel level. (CVE-2013-1796, Important)

* A potential use-after-free flaw was found in the way KVM handled guest time updates when the GPA (guest physical address) the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) fell into a movable or removable memory region of the hosting user-space process (by default, QEMU-KVM) on the host. If that memory region is deregistered from KVM using KVM_SET_USER_MEMORY_REGION and the allocated virtual memory reused, a privileged guest user could potentially use this flaw to escalate their privileges on the host. (CVE-2013-1797, Important)

* A flaw was found in the way KVM emulated IOAPIC (I/O Advanced Programmable Interrupt Controller). A missing validation check in the ioapic_read_indirect() function could allow a privileged guest user to crash the host, or read a substantial portion of host kernel memory.
(CVE-2013-1798, Important)

* A race condition in install_user_keyrings(), leading to a NULL pointer dereference, was found in the key management facility. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2013-1792, Moderate)

* A NULL pointer dereference in the XFRM implementation could allow a local user who has the CAP_NET_ADMIN capability to cause a denial of service. (CVE-2013-1826, Moderate)

* A NULL pointer dereference in the Datagram Congestion Control Protocol (DCCP) implementation could allow a local user to cause a denial of service. (CVE-2013-1827, Moderate)

* Information leak flaws in the XFRM implementation could allow a local user who has the CAP_NET_ADMIN capability to leak kernel stack memory to user-space. (CVE-2012-6537, Low)

* Two information leak flaws in the Asynchronous Transfer Mode (ATM) subsystem could allow a local, unprivileged user to leak kernel stack memory to user-space. (CVE-2012-6546, Low)

* An information leak was found in the TUN/TAP device driver in the networking implementation. A local user with access to a TUN/TAP virtual interface could use this flaw to leak kernel stack memory to user-space. (CVE-2012-6547, Low)

* An information leak in the Bluetooth implementation could allow a local user who has the CAP_NET_ADMIN capability to leak kernel stack memory to user-space. (CVE-2013-0349, Low)

* A use-after-free flaw was found in the tmpfs implementation. A local user able to mount and unmount a tmpfs file system could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2013-1767, Low)

* A NULL pointer dereference was found in the Linux kernel's USB Inside Out Edgeport Serial Driver implementation. An attacker with physical access to a system could use this flaw to cause a denial of service. (CVE-2013-1774, Low)

Red Hat would like to thank Andrew Honig of Google for reporting CVE-2013-1796, CVE-2013-1797, and CVE-2013-1798. CVE-2013-1792 was discovered by Mateusz Guzik of Red Hat EMEA GSS SEG Team.

This update fixes the following security issues :

  - A flaw was found in the Xen netback driver     implementation in the Linux kernel. A privileged guest     user with access to a para-virtualized network device     could use this flaw to cause a long loop in netback,     leading to a denial of service that could potentially     affect the entire system. (CVE-2013-0216, Moderate)

  - A flaw was found in the Xen PCI device back-end driver     implementation in the Linux kernel. A privileged guest     user in a guest that has a PCI passthrough device could     use this flaw to cause a denial of service that could     potentially affect the entire system. (CVE-2013-0231,     Moderate)

  - A NULL pointer dereference flaw was found in the IP     packet transformation framework (XFRM) implementation in     the Linux kernel. A local user who has the CAP_NET_ADMIN     capability could use this flaw to cause a denial of     service. (CVE-2013-1826, Moderate)

  - Information leak flaws were found in the XFRM     implementation in the Linux kernel. A local user who has     the CAP_NET_ADMIN capability could use these flaws to     leak kernel stack memory to user-space. (CVE-2012-6537,     Low)

  - An information leak flaw was found in the logical link     control (LLC) implementation in the Linux kernel. A     local, unprivileged user could use this flaw to leak     kernel stack memory to user-space. (CVE-2012-6542, Low)

  - Two information leak flaws were found in the Linux     kernel's Asynchronous Transfer Mode (ATM) subsystem. A     local, unprivileged user could use these flaws to leak     kernel stack memory to user-space. (CVE-2012-6546, Low)

  - An information leak flaw was found in the TUN/TAP device     driver in the Linux kernel's networking implementation.
    A local user with access to a TUN/TAP virtual interface     could use this flaw to leak kernel stack memory to     user-space. (CVE-2012-6547, Low)

This update also fixes the following bugs :

  - The IPv4 code did not correctly update the Maximum     Transfer Unit (MTU) of the designed interface when     receiving ICMP Fragmentation Needed packets.
    Consequently, a remote host did not respond correctly to     ping attempts. With this update, the IPv4 code has been     modified so the MTU of the designed interface is     adjusted as expected in this situation. The ping command     now provides the expected output.

  - Previously, the be2net code expected the last word of an     MCC completion message from the firmware to be     transferred by direct memory access (DMA) at once.
    However, this is not always true, and could therefore     cause the BUG_ON() macro to be triggered in the     be_mcc_compl_is_new() function, consequently leading to     a kernel panic. The BUG_ON() macro has been removed from     be_mcc_compl_is_new(), and the kernel panic no longer     occurs in this scenario.

  - Previously, the NFSv3 server incorrectly converted     64-bit cookies to 32-bit. Consequently, the cookies     became invalid, which affected all file system     operations depending on these cookies, such as the     READDIR operation that is used to read entries from a     directory. This led to various problems, such as     exported directories being empty or displayed     incorrectly, or an endless loop of the READDIRPLUS     procedure which could potentially cause a buffer     overflow. This update modifies knfsd code so that 64-bit     cookies are now handled correctly and all file system     operations work as expected.

The system must be rebooted for this update to take effect.

Updated kernel packages that fix several security issues and three bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A flaw was found in the Xen netback driver implementation in the Linux kernel. A privileged guest user with access to a para-virtualized network device could use this flaw to cause a long loop in netback, leading to a denial of service that could potentially affect the entire system. (CVE-2013-0216, Moderate)

* A flaw was found in the Xen PCI device back-end driver implementation in the Linux kernel. A privileged guest user in a guest that has a PCI passthrough device could use this flaw to cause a denial of service that could potentially affect the entire system.
(CVE-2013-0231, Moderate)

* A NULL pointer dereference flaw was found in the IP packet transformation framework (XFRM) implementation in the Linux kernel. A local user who has the CAP_NET_ADMIN capability could use this flaw to cause a denial of service. (CVE-2013-1826, Moderate)

* Information leak flaws were found in the XFRM implementation in the Linux kernel. A local user who has the CAP_NET_ADMIN capability could use these flaws to leak kernel stack memory to user-space.
(CVE-2012-6537, Low)

* An information leak flaw was found in the logical link control (LLC) implementation in the Linux kernel. A local, unprivileged user could use this flaw to leak kernel stack memory to user-space.
(CVE-2012-6542, Low)

* Two information leak flaws were found in the Linux kernel's Asynchronous Transfer Mode (ATM) subsystem. A local, unprivileged user could use these flaws to leak kernel stack memory to user-space.
(CVE-2012-6546, Low)

* An information leak flaw was found in the TUN/TAP device driver in the Linux kernel's networking implementation. A local user with access to a TUN/TAP virtual interface could use this flaw to leak kernel stack memory to user-space. (CVE-2012-6547, Low)

Red Hat would like to thank the Xen project for reporting the CVE-2013-0216 and CVE-2013-0231 issues.

This update also fixes the following bugs :

* The IPv4 code did not correctly update the Maximum Transfer Unit (MTU) of the designed interface when receiving ICMP Fragmentation Needed packets. Consequently, a remote host did not respond correctly to ping attempts. With this update, the IPv4 code has been modified so the MTU of the designed interface is adjusted as expected in this situation. The ping command now provides the expected output.
(BZ#923353)

* Previously, the be2net code expected the last word of an MCC completion message from the firmware to be transferred by direct memory access (DMA) at once. However, this is not always true, and could therefore cause the BUG_ON() macro to be triggered in the be_mcc_compl_is_new() function, consequently leading to a kernel panic. The BUG_ON() macro has been removed from be_mcc_compl_is_new(), and the kernel panic no longer occurs in this scenario. (BZ#923910)

* Previously, the NFSv3 server incorrectly converted 64-bit cookies to 32-bit. Consequently, the cookies became invalid, which affected all file system operations depending on these cookies, such as the READDIR operation that is used to read entries from a directory. This led to various problems, such as exported directories being empty or displayed incorrectly, or an endless loop of the READDIRPLUS procedure which could potentially cause a buffer overflow. This update modifies knfsd code so that 64-bit cookies are now handled correctly and all file system operations work as expected. (BZ#924087)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2013-0744.

ID	Name	Product	Family	Severity
68856	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel Security (ELSA-2013-2534)	Nessus	Oracle Linux Local Security Checks	high
68852	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2013-2520)	Nessus	Oracle Linux Local Security Checks	medium
68809	Oracle Linux 5 : kernel (ELSA-2013-0747)	Nessus	Oracle Linux Local Security Checks	medium
68808	Oracle Linux 5 : kernel (ELSA-2013-0747-1)	Nessus	Oracle Linux Local Security Checks	medium
68807	Oracle Linux 6 : kernel (ELSA-2013-0744)	Nessus	Oracle Linux Local Security Checks	high
66494	Ubuntu 10.04 LTS : linux-ec2 vulnerabilities (USN-1829-1)	Nessus	Ubuntu Local Security Checks	medium
66467	Ubuntu 10.04 LTS : linux vulnerabilities (USN-1824-1)	Nessus	Ubuntu Local Security Checks	medium
66431	Debian DSA-2668-1 : linux-2.6 - privilege escalation/denial of service/information leak	Nessus	Debian Local Security Checks	medium
66214	Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20130423)	Nessus	Scientific Linux Local Security Checks	high
66204	CentOS 6 : kernel (CESA-2013:0744)	Nessus	CentOS Local Security Checks	high
66192	RHEL 6 : kernel (RHSA-2013:0744)	Nessus	Red Hat Local Security Checks	high
66016	Scientific Linux Security Update : kernel on SL5.x i386/x86_64 (20130416)	Nessus	Scientific Linux Local Security Checks	medium
65991	RHEL 5 : kernel (RHSA-2013:0747)	Nessus	Red Hat Local Security Checks	medium
65988	CentOS 5 : kernel (CESA-2013:0747)	Nessus	CentOS Local Security Checks	medium
801540	CentOS RHSA-2013-0744 Security Check	Log Correlation Engine	Generic	high

CVE-2013-1826

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

high

medium

medium

medium

high

medium

medium

medium

high

high

high

medium

medium

medium

high