SUSE-SU-2013:1473

SUSE-SU-2013:1474

openSUSE-SU-2013:1971

[linux-kernel] 20130603 [patch] fanotify: info leak in copy_event_to_user()

[oss-security] 20130605 Re: CVE Request: Linux kernel: fanotify: info leak in copy_event_to_user

USN-1929-1

USN-1930-1

https://bugzilla.redhat.com/show_bug.cgi?id=971258

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0057 for details.

Updated kernel-rt packages that fix several security issues and multiple bugs are now available for Red Hat Enterprise MRG 2.3.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel-rt packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A heap-based buffer overflow flaw was found in the Linux kernel's iSCSI target subsystem. A remote attacker could use a specially crafted iSCSI request to cause a denial of service on a system or, potentially, escalate their privileges on that system. (CVE-2013-2850, Important)

* A flaw was found in the Linux kernel's Performance Events implementation. On systems with certain Intel processors, a local, unprivileged user could use this flaw to cause a denial of service by leveraging the perf subsystem to write into the reserved bits of the OFFCORE_RSP_0 and OFFCORE_RSP_1 model-specific registers.
(CVE-2013-2146, Moderate)

* An invalid pointer dereference flaw was found in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system by using sendmsg() with an IPv6 socket connected to an IPv4 destination. (CVE-2013-2232, Moderate)

* Two flaws were found in the way the Linux kernel's TCP/IP protocol suite implementation handled IPv6 sockets that used the UDP_CORK option. A local, unprivileged user could use these flaws to cause a denial of service. (CVE-2013-4162, CVE-2013-4163, Moderate)

* A flaw was found in the Linux kernel's Chipidea USB driver. A local, unprivileged user could use this flaw to cause a denial of service.
(CVE-2013-2058, Low)

* Information leak flaws in the Linux kernel could allow a privileged, local user to leak kernel memory to user-space. (CVE-2013-2147, CVE-2013-2164, CVE-2013-2234, CVE-2013-2237, Low)

* Information leak flaws in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. (CVE-2013-2141, CVE-2013-2148, Low)

* A format string flaw was found in the Linux kernel's block layer. A privileged, local user could potentially use this flaw to escalate their privileges to kernel level (ring0). (CVE-2013-2851, Low)

* A format string flaw was found in the b43_do_request_fw() function in the Linux kernel's b43 driver implementation. A local user who is able to specify the 'fwpostfix' b43 module parameter could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2013-2852, Low)

* A NULL pointer dereference flaw was found in the Linux kernel's ftrace and function tracer implementations. A local user who has the CAP_SYS_ADMIN capability could use this flaw to cause a denial of service. (CVE-2013-3301, Low)

Red Hat would like to thank Kees Cook for reporting CVE-2013-2850, CVE-2013-2851, and CVE-2013-2852; and Hannes Frederic Sowa for reporting CVE-2013-4162 and CVE-2013-4163.

This update also fixes the following bugs :

* The following drivers have been updated, fixing a number of bugs:
myri10ge, bna, enic, mlx4, bgmac, bcma, cxgb3, cxgb4, qlcnic, r8169, be2net, e100, e1000, e1000e, igb, ixgbe, brcm80211, cpsw, pch_gbe, bfin_mac, bnx2x, bnx2, cnic, tg3, and sfc. (BZ#974138)

* The realtime kernel was not built with the CONFIG_NET_DROP_WATCH kernel configuration option enabled. As such, attempting to run the dropwatch command resulted in the following error :

Unable to find NET_DM family, dropwatch can't work Cleaning up on socket creation error

With this update, the realtime kernel is built with the CONFIG_NET_DROP_WATCH option, allowing dropwatch to work as expected.
(BZ#979417)

Users should upgrade to these updated packages, which upgrade the kernel-rt kernel to version kernel-rt-3.6.11.5-rt37, and correct these issues. The system must be rebooted for this update to take effect.

The Linux kernel was updated to 3.4.63, fixing various bugs and security issues.

  - Linux 3.4.59 (CVE-2013-2237 bnc#828119).

  - Linux 3.4.57 (CVE-2013-2148 bnc#823517).

  - Linux 3.4.55 (CVE-2013-2232 CVE-2013-2234 CVE-2013-4162     CVE-2013-4163 bnc#827749 bnc#827750 bnc#831055     bnc#831058).

  - Drivers: hv: util: Fix a bug in util version negotiation     code (bnc#838346).

  - vmxnet3: prevent div-by-zero panic when ring resizing     uninitialized dev (bnc#833321).

  - bnx2x: protect different statistics flows (bnc#814336).

  - bnx2x: Avoid sending multiple statistics queries     (bnc#814336).

  - Drivers: hv: util: Fix a bug in version negotiation code     for util services (bnc#828714).

  - Update Xen patches to 3.4.53.

  - netfront: fix kABI after 'reduce gso_max_size to account     for max TCP header'.

  - netback: don't disconnect frontend when seeing oversize     packet (bnc#823342).

  - netfront: reduce gso_max_size to account for max TCP     header.

  - backends: Check for insane amounts of requests on the     ring.

  - reiserfs: Fixed double unlock in reiserfs_setattr     failure path.

  - reiserfs: locking, release lock around quota operations     (bnc#815320).

  - reiserfs: locking, handle nested locks properly     (bnc#815320).

  - reiserfs: locking, push write lock out of xattr code     (bnc#815320).

  - ipv6: ip6_append_data_mtu did not care about pmtudisc     and frag_size (bnc#831055, CVE-2013-4163).

  - af_key: fix info leaks in notify messages (bnc#827749     CVE-2013-2234).

  - af_key: initialize satype in key_notify_policy_flush()     (bnc#828119 CVE-2013-2237).

  - ipv6: call udp_push_pending_frames when uncorking a     socket with (bnc#831058, CVE-2013-4162).

  - ipv6: ip6_sk_dst_check() must not assume ipv6 dst.

  - xfs: fix _xfs_buf_find oops on blocks beyond the     filesystem end (CVE-2013-1819 bnc#807471).

  - brcmsmac: don't start device when RfKill is engaged     (bnc#787649).

  - CIFS: Protect i_nlink from being negative (bnc#785542     bnc#789598).

  - cifs: don't compare uniqueids in cifs_prime_dcache     unless server inode numbers are in use (bnc#794988).

  - xfs: xfs: fallback to vmalloc for large buffers in     xfs_compat_attrlist_by_handle (bnc#818053 bnc#807153).

  - xfs: fallback to vmalloc for large buffers in     xfs_attrlist_by_handle (bnc#818053 bnc#807153).

  - Linux 3.4.53 (CVE-2013-2164 CVE-2013-2851 bnc#822575     bnc#824295).

  - drivers/cdrom/cdrom.c: use kzalloc() for failing     hardware (bnc#824295, CVE-2013-2164).

  - fanotify: info leak in copy_event_to_user()     (CVE-2013-2148 bnc#823517).

  - block: do not pass disk names as format strings     (bnc#822575 CVE-2013-2851).

  - ext4: avoid hang when mounting non-journal filesystems     with orphan list (bnc#817377).

  - Linux 3.4.49 (CVE-2013-0231 XSA-43 bnc#801178).

  - Linux 3.4.48 (CVE-2013-1774 CVE-2013-2850 bnc#806976     bnc#821560).

  - Always include the git commit in KOTD builds This allows     us not to set it explicitly in builds submitted to the     official distribution (bnc#821612, bnc#824171).

  - Bluetooth: Really fix registering hci with duplicate     name (bnc#783858).

  - Bluetooth: Fix registering hci with duplicate name     (bnc#783858).

The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).

The SUSE Linux Enterprise 11 Service Pack 2 kernel has been updated to version 3.0.93 and includes various bug and security fixes.

The following security bugs have been fixed :

  - The fill_event_metadata function in     fs/notify/fanotify/fanotify_user.c in the Linux kernel     did not initialize a certain structure member, which     allowed local users to obtain sensitive information from     kernel memory via a read operation on the fanotify     descriptor. (CVE-2013-2148)

  - The key_notify_policy_flush function in net/key/af_key.c     in the Linux kernel did not initialize a certain     structure member, which allowed local users to obtain     sensitive information from kernel heap memory by reading     a broadcast message from the notify_policy interface of     an IPSec key_socket. (CVE-2013-2237)

  - The ip6_sk_dst_check function in net/ipv6/ip6_output.c     in the Linux kernel allowed local users to cause a     denial of service (system crash) by using an AF_INET6     socket for a connection to an IPv4 interface.
    (CVE-2013-2232)

  - The (1) key_notify_sa_flush and (2)     key_notify_policy_flush functions in net/key/af_key.c in     the Linux kernel did not initialize certain structure     members, which allowed local users to obtain sensitive     information from kernel heap memory by reading a     broadcast message from the notify interface of an IPSec     key_socket. (CVE-2013-2234)

  - The udp_v6_push_pending_frames function in     net/ipv6/udp.c in the IPv6 implementation in the Linux     kernel made an incorrect function call for pending data,     which allowed local users to cause a denial of service     (BUG and system crash) via a crafted application that     uses the UDP_CORK option in a setsockopt system call.
    (CVE-2013-4162)

  - net/ceph/auth_none.c in the Linux kernel allowed remote     attackers to cause a denial of service (NULL pointer     dereference and system crash) or possibly have     unspecified other impact via an auth_reply message that     triggers an attempted build_request operation.
    (CVE-2013-1059)

  - The mmc_ioctl_cdrom_read_data function in     drivers/cdrom/cdrom.c in the Linux kernel allowed local     users to obtain sensitive information from kernel memory     via a read operation on a malfunctioning CD-ROM drive.
    (CVE-2013-2164)

  - Format string vulnerability in the register_disk     function in block/genhd.c in the Linux kernel allowed     local users to gain privileges by leveraging root access     and writing format string specifiers to     /sys/module/md_mod/parameters/new_array in order to     create a crafted /dev/md device name. (CVE-2013-2851)

  - The ip6_append_data_mtu function in     net/ipv6/ip6_output.c in the IPv6 implementation in the     Linux kernel did not properly maintain information about     whether the IPV6_MTU setsockopt option had been     specified, which allowed local users to cause a denial     of service (BUG and system crash) via a crafted     application that uses the UDP_CORK option in a     setsockopt system call. (CVE-2013-4163)

  - Heap-based buffer overflow in the tg3_read_vpd function     in drivers/net/ethernet/broadcom/tg3.c in the Linux     kernel allowed physically proximate attackers to cause a     denial of service (system crash) or possibly execute     arbitrary code via crafted firmware that specifies a     long string in the Vital Product Data (VPD) data     structure. (CVE-2013-1929)

  - The _xfs_buf_find function in fs/xfs/xfs_buf.c in the     Linux kernel did not validate block numbers, which     allowed local users to cause a denial of service (NULL     pointer dereference and system crash) or possibly have     unspecified other impact by leveraging the ability to     mount an XFS filesystem containing a metadata inode with     an invalid extent map. (CVE-2013-1819)

  - The chase_port function in drivers/usb/serial/io_ti.c in     the Linux kernel allowed local users to cause a denial     of service (NULL pointer dereference and system crash)     via an attempted /dev/ttyUSB read or write operation on     a disconnected Edgeport USB serial converter.
    (CVE-2013-1774)

Also the following bugs have been fixed :

BTRFS :

  - btrfs: merge contiguous regions when loading free space     cache

  - btrfs: fix how we deal with the orphan block rsv

  - btrfs: fix wrong check during log recovery

  - btrfs: change how we indicate we are adding csums

  - btrfs: flush delayed inodes if we are short on space.
    (bnc#801427)

  - btrfs: rework shrink_delalloc. (bnc#801427)

  - btrfs: fix our overcommit math. (bnc#801427)

  - btrfs: delay block group item insertion. (bnc#801427)

  - btrfs: remove bytes argument from do_chunk_alloc.
    (bnc#801427)

  - btrfs: run delayed refs first when out of space.
    (bnc#801427)

  - btrfs: do not commit instead of overcommitting.
    (bnc#801427)

  - btrfs: do not take inode delalloc mutex if we are a free     space inode. (bnc#801427)

  - btrfs: fix chunk allocation error handling. (bnc#801427)

  - btrfs: remove extent mapping if we fail to add chunk.
    (bnc#801427)

  - btrfs: do not overcommit if we do not have enough space     for global rsv. (bnc#801427)

  - btrfs: rework the overcommit logic to be based on the     total size. (bnc#801427)

  - btrfs: steal from global reserve if we are cleaning up     orphans. (bnc#801427)

  - btrfs: clear chunk_alloc flag on retryable failure.
    (bnc#801427)

  - btrfs: use reserved space for creating a snapshot.
    (bnc#801427)

  - btrfs: cleanup to make the function     btrfs_delalloc_reserve_metadata more logic. (bnc#801427)

  - btrfs: fix space leak when we fail to reserve metadata     space. (bnc#801427)

  - btrfs: fix space accounting for unlink and rename.
    (bnc#801427)

  - btrfs: allocate new chunks if the space is not enough     for global rsv. (bnc#801427)

  - btrfs: various abort cleanups. (bnc#812526 / bnc#801427)

  - btrfs: simplify unlink reservations (bnc#801427). OTHER :

  - x86: Add workaround to NMI iret woes. (bnc#831949)

  - x86: Do not schedule while still in NMI context.
    (bnc#831949)

  - bnx2x: Avoid sending multiple statistics queries.
    (bnc#814336)

  - bnx2x: protect different statistics flows. (bnc#814336)

  - futex: Take hugepages into account when generating     futex_key.

  - drivers/hv: util: Fix a bug in version negotiation code     for util services. (bnc#828714)

  - printk: Add NMI ringbuffer. (bnc#831949)

  - printk: extract ringbuffer handling from vprintk.
    (bnc#831949)

  - printk: NMI safe printk. (bnc#831949)

  - printk: Make NMI ringbuffer size independent on     log_buf_len. (bnc#831949)

  - printk: Do not call console_unlock from nmi context.
    (bnc#831949)

  - printk: Do not use printk_cpu from finish_printk.
    (bnc#831949)

  - mlx4_en: Adding 40gb speed report for ethtool.
    (bnc#831410)

  - reiserfs: Fixed double unlock in reiserfs_setattr     failure path.

  - reiserfs: delay reiserfs lock until journal     initialization. (bnc#815320)

  - reiserfs: do not lock journal_init(). (bnc#815320)

  - reiserfs: locking, handle nested locks properly.
    (bnc#815320)

  - reiserfs: locking, push write lock out of xattr code.
    (bnc#815320)

  - reiserfs: locking, release lock around quota operations.
    (bnc#815320)

  - NFS: support 'nosharetransport' option (bnc#807502,     bnc#828192, FATE#315593).

  - dm mpath: add retain_attached_hw_handler feature.
    (bnc#760407)

  - scsi_dh: add scsi_dh_attached_handler_name. (bnc#760407)

  - bonding: disallow change of MAC if fail_over_mac     enabled. (bnc#827376)

  - bonding: propagate unicast lists down to slaves.
    (bnc#773255 / bnc#827372)

  - bonding: emit address change event also in bond_release.
    (bnc#773255 / bnc#827372)

  - bonding: emit event when bonding changes MAC.
    (bnc#773255 / bnc#827372)

  - SUNRPC: Ensure we release the socket write lock if the     rpc_task exits early. (bnc#830901)

  - ext4: force read-only unless rw=1 module option is used     (fate#314864).

  - HID: fix unused rsize usage. (bnc#783475)

  - HID: fix data access in implement(). (bnc#783475)

  - xfs: fix deadlock in xfs_rtfree_extent with kernel v3.x.
    (bnc#829622)

  - r8169: allow multicast packets on sub-8168f chipset.
    (bnc#805371)

  - r8169: support new chips of RTL8111F. (bnc#805371)

  - r8169: define the early size for 8111evl. (bnc#805371)

  - r8169: fix the reset setting for 8111evl. (bnc#805371)

  - r8169: add MODULE_FIRMWARE for the firmware of 8111evl.
    (bnc#805371)

  - r8169: fix sticky accepts packet bits in RxConfig.
    (bnc#805371)

  - r8169: adjust the RxConfig settings. (bnc#805371)

  - r8169: support RTL8111E-VL. (bnc#805371)

  - r8169: add ERI functions. (bnc#805371)

  - r8169: modify the flow of the hw reset. (bnc#805371)

  - r8169: adjust some registers. (bnc#805371)

  - r8169: check firmware content sooner. (bnc#805371)

  - r8169: support new firmware format. (bnc#805371)

  - r8169: explicit firmware format check. (bnc#805371)

  - r8169: move the firmware down into the device private     data. (bnc#805371)

  - mm: link_mem_sections make sure nmi watchdog does not     trigger while linking memory sections. (bnc#820434)

  - kernel: lost IPIs on CPU hotplug (bnc#825048,     LTC#94784).

  - iwlwifi: use correct supported firmware for 6035 and     6000g2. (bnc#825887)

  - watchdog: Update watchdog_thresh atomically.
    (bnc#829357)

  - watchdog: update watchdog_tresh properly. (bnc#829357)

  - watchdog:
    watchdog-make-disable-enable-hotplug-and-preempt-save.pa     tch. (bnc#829357)

  - include/1/smp.h: define __smp_call_function_single for     !CONFIG_SMP. (bnc#829357)

  - lpfc: Return correct error code on bsg_timeout.
    (bnc#816043)

  - dm-multipath: Drop table when retrying ioctl.
    (bnc#808940)

  - scsi: Do not retry invalid function error. (bnc#809122)

  - scsi: Always retry internal target error. (bnc#745640,     bnc#825227)

  - ibmvfc: Driver version 1.0.1. (bnc#825142)

  - ibmvfc: Fix for offlining devices during error recovery.
    (bnc#825142)

  - ibmvfc: Properly set cancel flags when cancelling abort.
    (bnc#825142)

  - ibmvfc: Send cancel when link is down. (bnc#825142)

  - ibmvfc: Support FAST_IO_FAIL in EH handlers.
    (bnc#825142)

  - ibmvfc: Suppress ABTS if target gone. (bnc#825142)

  - fs/dcache.c: add cond_resched() to     shrink_dcache_parent(). (bnc#829082)

  - kmsg_dump: do not run on non-error paths by default.
    (bnc#820172)

  - mm: honor min_free_kbytes set by user. (bnc#826960)

  - hyperv: Fix a kernel warning from     netvsc_linkstatus_callback(). (bnc#828574)

  - RT: Fix up hardening patch to not gripe when avg >     available, which lockless access makes possible and     happens in -rt kernels running a cpubound ltp realtime     testcase. Just keep the output sane in that case.

  - md/raid10: Fix two bug affecting RAID10 reshape (-).

  - Allow NFSv4 to run execute-only files. (bnc#765523)

  - fs/ocfs2/namei.c: remove unnecessary ERROR when removing     non-empty directory. (bnc#819363)

  - block: Reserve only one queue tag for sync IO if only 3     tags are available. (bnc#806396)

  - drm/i915: Add wait_for in init_ring_common. (bnc#813604)

  - drm/i915: Mark the ringbuffers as being in the GTT     domain. (bnc#813604)

  - ext4: avoid hang when mounting non-journal filesystems     with orphan list. (bnc#817377)

  - autofs4 - fix get_next_positive_subdir(). (bnc#819523)

  - ocfs2: Add bits_wanted while calculating credits in     ocfs2_calc_extend_credits. (bnc#822077)

  - re-enable io tracing. (bnc#785901)

  - SUNRPC: Prevent an rpc_task wakeup race. (bnc#825591)

  - tg3: Prevent system hang during repeated EEH errors.
    (bnc#822066)

  - backends: Check for insane amounts of requests on the     ring.

  - Update Xen patches to 3.0.82.

  - netiucv: Hold rtnl between name allocation and device     registration. (bnc#824159)

  - drm/edid: Do not print messages regarding stereo or     csync by default. (bnc#821235)

  - net/sunrpc: xpt_auth_cache should be ignored when     expired. (bnc#803320)

  - sunrpc/cache: ensure items removed from cache do not     have pending upcalls. (bnc#803320)

  - sunrpc/cache: remove races with queuing an upcall.
    (bnc#803320)

  - sunrpc/cache: use cache_fresh_unlocked consistently and     correctly. (bnc#803320)

  - md/raid10 'enough' fixes. (bnc#773837)

  - Update config files: disable IP_PNP. (bnc#822825)

  - Disable efi pstore by default. (bnc#804482 / bnc#820172)

  - md: Fix problem with GET_BITMAP_FILE returning wrong     status. (bnc#812974 / bnc#823497)

  - USB: xHCI: override bogus bulk wMaxPacketSize values.
    (bnc#823082)

  - ALSA: hda - Fix system panic when DMA > 40 bits for     Nvidia audio controllers. (bnc#818465)

  - USB: UHCI: fix for suspend of virtual HP controller.
    (bnc#817035)

  - mm: mmu_notifier: re-fix freed page still mapped in     secondary MMU. (bnc#821052)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2013-1059     Chanam Park reported an issue in the Ceph distributed     storage system. Remote users can cause a denial of     service by sending a specially crafted auth_reply     message.

  - CVE-2013-2148     Dan Carpenter reported an information leak in the     filesystem wide access notification subsystem     (fanotify). Local users could gain access to sensitive     kernel memory.

  - CVE-2013-2164     Jonathan Salwan reported an information leak in the     CD-ROM driver. A local user on a system with a     malfunctioning CD-ROM drive could gain access to     sensitive memory.

  - CVE-2013-2232     Dave Jones and Hannes Frederic Sowa resolved an issue in     the IPv6 subsystem. Local users could cause a denial of     service by using an AF_INET6 socket to connect to an     IPv4 destination.

  - CVE-2013-2234     Mathias Krause reported a memory leak in the     implementation of PF_KEYv2 sockets. Local users could     gain access to sensitive kernel memory.

  - CVE-2013-2237     Nicolas Dichtel reported a memory leak in the     implementation of PF_KEYv2 sockets. Local users could     gain access to sensitive kernel memory.

  - CVE-2013-2851     Kees Cook reported an issue in the block subsystem.
    Local users with uid 0 could gain elevated ring 0     privileges. This is only a security issue for certain     specially configured systems.

  - CVE-2013-2852     Kees Cook reported an issue in the b43 network driver     for certain Broadcom wireless devices. Local users with     uid 0 could gain elevated ring 0 privileges. This is     only a security issue for certain specially configured     systems.

  - CVE-2013-4162     Hannes Frederic Sowa reported an issue in the IPv6     networking subsystem. Local users can cause a denial of     service (system crash).

  - CVE-2013-4163     Dave Jones reported an issue in the IPv6 networking     subsystem. Local users can cause a denial of service     (system crash).

This update also includes a fix for a regression in the Xen subsystem.

Chanam Park reported a NULL pointer flaw in the Linux kernel's Ceph client. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2013-1059)

An information leak was discovered in the Linux kernel's fanotify interface. A local user could exploit this flaw to obtain sensitive information from kernel memory. (CVE-2013-2148)

Jonathan Salwan discovered an information leak in the Linux kernel's cdrom driver. A local user can exploit this leak to obtain sensitive information from kernel memory if the CD-ROM drive is malfunctioning.
(CVE-2013-2164)

Kees Cook discovered a format string vulnerability in the Linux kernel's disk block layer. A local user with administrator privileges could exploit this flaw to gain kernel privileges. (CVE-2013-2851)

Hannes Frederic Sowa discovered that the Linux kernel's IPv6 stack does not correctly handle Router Advertisement (RA) message in some cases. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2013-4125)

A vulnerability was discovered in the Linux kernel's vhost net driver.
A local user could cause a denial of service (system crash) by powering on a virtual machine. (CVE-2013-4127)

Marcus Moeller and Ken Fallon discovered that the CIFS incorrectly built certain paths. A local attacker with access to a CIFS partition could exploit this to crash the system, leading to a denial of service. (CVE-2013-4247).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Chanam Park reported a NULL pointer flaw in the Linux kernel's Ceph client. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2013-1059)

An information leak was discovered in the Linux kernel's fanotify interface. A local user could exploit this flaw to obtain sensitive information from kernel memory. (CVE-2013-2148)

Jonathan Salwan discovered an information leak in the Linux kernel's cdrom driver. A local user can exploit this leak to obtain sensitive information from kernel memory if the CD-ROM drive is malfunctioning.
(CVE-2013-2164)

Kees Cook discovered a format string vulnerability in the Linux kernel's disk block layer. A local user with administrator privileges could exploit this flaw to gain kernel privileges. (CVE-2013-2851)

Hannes Frederic Sowa discovered that the Linux kernel's IPv6 stack does not correctly handle Router Advertisement (RA) message in some cases. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2013-4125)

A vulnerability was discovered in the Linux kernel's vhost net driver.
A local user could cause a denial of service (system crash) by powering on a virtual machine. (CVE-2013-4127).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Chanam Park reported a NULL pointer flaw in the Linux kernel's Ceph client. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2013-1059)

An information leak was discovered in the Linux kernel's fanotify interface. A local user could exploit this flaw to obtain sensitive information from kernel memory. (CVE-2013-2148)

Jonathan Salwan discovered an information leak in the Linux kernel's cdrom driver. A local user can exploit this leak to obtain sensitive information from kernel memory if the CD-ROM drive is malfunctioning.
(CVE-2013-2164)

Kees Cook discovered a format string vulnerability in the Linux kernel's disk block layer. A local user with administrator privileges could exploit this flaw to gain kernel privileges. (CVE-2013-2851).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An information leak was discovered in the Linux kernel's fanotify interface. A local user could exploit this flaw to obtain sensitive information from kernel memory.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Rebase to 3.9.8 now that 3.8 is no longer maintained.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to the latest upstream stable release, Linux v3.9.5

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to latest upstream stable release, Linux v3.9.5.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities has been found and corrected in the Linux kernel :

net/ceph/auth_none.c in the Linux kernel through 3.10 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an auth_reply message that triggers an attempted build_request operation.
(CVE-2013-1059)

The HP Smart Array controller disk-array driver and Compaq SMART2 controller disk-array driver in the Linux kernel through 3.9.4 do not initialize certain data structures, which allows local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device, related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c.
(CVE-2013-2147)

The fill_event_metadata function in fs/notify/fanotify/fanotify_user.c in the Linux kernel through 3.9.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory via a read operation on the fanotify descriptor. (CVE-2013-2148)

Format string vulnerability in the register_disk function in block/genhd.c in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and writing format string specifiers to /sys/module/md_mod/parameters/new_array in order to create a crafted /dev/md device name. (CVE-2013-2851)

The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive. (CVE-2013-2164)

The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel before 3.9 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket. (CVE-2013-2237)

The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket.
(CVE-2013-2234)

The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface. (CVE-2013-2232)

The online_pages function in mm/memory_hotplug.c in the Linux kernel before 3.6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact in opportunistic circumstances by using memory that was hot-added by an administrator. (CVE-2012-5517)

Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message. (CVE-2013-2852)

The ftrace implementation in the Linux kernel before 3.8.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for write access to the (1) set_ftrace_pid or (2) set_graph_function file, and then making an lseek system call. (CVE-2013-3301)

The pciback_enable_msi function in the PCI backend driver (drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux kernel 2.6.18 and 3.8 allows guest OS users with PCI device access to cause a denial of service via a large number of kernel log messages.
NOTE: some of these details are obtained from third-party information.
(CVE-2013-0231)

The chase_port function in drivers/usb/serial/io_ti.c in the Linux kernel before 3.7.4 allows local users to cause a denial of service (NULL pointer dereference and system crash) via an attempted /dev/ttyUSB read or write operation on a disconnected Edgeport USB serial converter. (CVE-2013-1774)

Heap-based buffer overflow in the iscsi_add_notunderstood_response function in drivers/target/iscsi/iscsi_target_parameters.c in the iSCSI target subsystem in the Linux kernel through 3.9.4 allows remote attackers to cause a denial of service (memory corruption and OOPS) or possibly execute arbitrary code via a long key that is not properly handled during construction of an error-response packet.
(CVE-2013-2850)

The updated packages provides a solution for these security issues.

ID	Name	Product	Family	Severity
99163	OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0057) (Dirty COW)	Nessus	OracleVM Local Security Checks	critical
76665	RHEL 6 : MRG (RHSA-2013:1264)	Nessus	Red Hat Local Security Checks	high
75184	openSUSE Security Update : kernel (openSUSE-SU-2013:1619-1)	Nessus	SuSE Local Security Checks	high
74878	openSUSE Security Update : kernel (openSUSE-SU-2013:1971-1)	Nessus	SuSE Local Security Checks	high
72472	Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2014-3002)	Nessus	Oracle Linux Local Security Checks	high
70040	SuSE 11.3 Security Update : Linux kernel (SAT Patch Numbers 8269 / 8270 / 8283)	Nessus	SuSE Local Security Checks	high
70039	SuSE 11.2 Security Update : Linux kernel (SAT Patch Numbers 8263 / 8265 / 8273)	Nessus	SuSE Local Security Checks	high
69505	Debian DSA-2745-1 : linux - privilege escalation/denial of service/information leak	Nessus	Debian Local Security Checks	high
69419	Ubuntu 12.04 LTS : linux-lts-raring vulnerabilities (USN-1936-1)	Nessus	Ubuntu Local Security Checks	high
69418	Ubuntu 13.04 : linux vulnerabilities (USN-1935-1)	Nessus	Ubuntu Local Security Checks	high
69417	Ubuntu 12.10 : linux vulnerabilities (USN-1932-1)	Nessus	Ubuntu Local Security Checks	high
69416	Ubuntu 12.04 LTS : linux-lts-quantal vulnerabilities (USN-1931-1)	Nessus	Ubuntu Local Security Checks	high
69415	Ubuntu 12.04 LTS : linux vulnerability (USN-1929-1)	Nessus	Ubuntu Local Security Checks	low
67351	Fedora 17 : kernel-3.9.8-100.fc17 (2013-9123)	Nessus	Fedora Local Security Checks	high
67285	Fedora 18 : kernel-3.9.5-201.fc18 (2013-10695)	Nessus	Fedora Local Security Checks	high
67284	Fedora 19 : kernel-3.9.5-301.fc19 (2013-10689)	Nessus	Fedora Local Security Checks	medium
67254	Mandriva Linux Security Advisory : kernel (MDVSA-2013:194)	Nessus	Mandriva Local Security Checks	high

CVE-2013-2148

LOW

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins

critical

high

high

high

high

high

high

high

high

high

high

high

low

high

high

medium

high