http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2d6fbfe733f35c6b355c216644e08e149c61b271

SUSE-SU-2013:1182

openSUSE-SU-2013:1187

openSUSE-SU-2013:1971

MDVSA-2013:176

[oss-security] 20130414 Linux kernel: more net info leak fixes for v3.9

USN-1837-1

https://github.com/torvalds/linux/commit/2d6fbfe733f35c6b355c216644e08e149c61b271

[linux-kernel] 20130414 Linux 3.9-rc7

The SUSE Linux Enterprise 11 Service Pack 3 kernel has been updated to 3.0.82 and to fix various bugs and security issues.

The following security issues have been fixed :

  - The chase_port function in drivers/usb/serial/io_ti.c in     the Linux kernel allowed local users to cause a denial     of service (NULL pointer dereference and system crash)     via an attempted /dev/ttyUSB read or write operation on     a disconnected Edgeport USB serial converter.
    (CVE-2013-1774)

  - Timing side channel on attacks were possible on     /dev/ptmx that could allow local attackers to predict     keypresses like e.g. passwords. This has been fixed     again by updating accessed/modified time on the pty     devices in resolution of 8 seconds, so that idle time     detection can still work. (CVE-2013-0160)

  - The vcc_recvmsg function in net/atm/common.c in the     Linux kernel did not initialize a certain length     variable, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3222)

  - The ax25_recvmsg function in net/ax25/af_ax25.c in the     Linux kernel did not initialize a certain data     structure, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3223)

  - The bt_sock_recvmsg function in     net/bluetooth/af_bluetooth.c in the Linux kernel did not     properly initialize a certain length variable, which     allowed local users to obtain sensitive information from     kernel stack memory via a crafted recvmsg or recvfrom     system call. (CVE-2013-3224)

  - The rfcomm_sock_recvmsg function in     net/bluetooth/rfcomm/sock.c in the Linux kernel did not     initialize a certain length variable, which allowed     local users to obtain sensitive information from kernel     stack memory via a crafted recvmsg or recvfrom system     call. (CVE-2013-3225)

  - The caif_seqpkt_recvmsg function in     net/caif/caif_socket.c in the Linux kernel did not     initialize a certain length variable, which allowed     local users to obtain sensitive information from kernel     stack memory via a crafted recvmsg or recvfrom system     call. (CVE-2013-3227)

  - The irda_recvmsg_dgram function in net/irda/af_irda.c in     the Linux kernel did not initialize a certain length     variable, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3228)

  - The iucv_sock_recvmsg function in net/iucv/af_iucv.c in     the Linux kernel did not initialize a certain length     variable, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3229)

  - The llc_ui_recvmsg function in net/llc/af_llc.c in the     Linux kernel did not initialize a certain length     variable, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3231)

  - The nr_recvmsg function in net/netrom/af_netrom.c in the     Linux kernel did not initialize a certain data     structure, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3232)

  - The rose_recvmsg function in net/rose/af_rose.c in the     Linux kernel did not initialize a certain data     structure, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3234)

  - net/tipc/socket.c in the Linux kernel did not initialize     a certain data structure and a certain length variable,     which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3235)

  - The crypto API in the Linux kernel did not initialize     certain length variables, which allowed local users to     obtain sensitive information from kernel stack memory     via a crafted recvmsg or recvfrom system call, related     to the hash_recvmsg function in crypto/algif_hash.c and     the skcipher_recvmsg function in     crypto/algif_skcipher.c. (CVE-2013-3076)

  - The scm_set_cred function in include/net/scm.h in the     Linux kernel used incorrect uid and gid values during     credentials passing, which allowed local users to gain     privileges via a crafted application. (CVE-2013-1979)

  - A kernel information leak via tkill/tgkill was fixed.
    The following non-security bugs have been fixed :

S/390 :

  - af_iucv: Missing man page (bnc#825037, LTC#94825).

  - iucv: fix kernel panic at reboot (bnc#825037,     LTC#93803).

  - kernel: lost IPIs on CPU hotplug (bnc#825037,     LTC#94784).

  - dasd: Add missing descriptions for dasd timeout messages     (bnc#825037, LTC#94762).

  - dasd: Fix hanging device after resume with internal     error 13 (bnc#825037, LTC#94554).

  - cio: Suppress 2nd path verification during resume     (bnc#825037, LTC#94554).

  - vmcp: Missing man page (bnc#825037, LTC#94453).

  - kernel: 3215 console crash (bnc#825037, LTC#94302).

  - netiucv: Hold rtnl between name allocation and device     registration. (bnc#824159)

  - s390/ftrace: fix mcount adjustment (bnc#809895). HyperV :

  - Drivers: hv: Fix a bug in get_vp_index().

  - hyperv: Fix a compiler warning in netvsc_send().

  - Tools: hv: Fix a checkpatch warning.

  - tools: hv: skip iso9660 mounts in hv_vss_daemon.

  - tools: hv: use FIFREEZE/FITHAW in hv_vss_daemon.

  - tools: hv: use getmntent in hv_vss_daemon.

  - Tools: hv: Fix a checkpatch warning.

  - tools: hv: fix checks for origin of netlink message in     hv_vss_daemon.

  - Tools: hv: fix warnings in hv_vss_daemon.

  - x86, hyperv: Handle Xen emulation of Hyper-V more     gracefully.

  - hyperv: Fix a kernel warning from     netvsc_linkstatus_callback().

  - Drivers: hv: balloon: make local functions static.

  - tools: hv: daemon should check type of received Netlink     msg.

  - tools: hv: daemon setsockopt should use options macros.

  - tools: hv: daemon should subscribe only to CN_KVP_IDX     group.

  - driver: hv: remove cast for kmalloc return value.

  - hyperv: use 3.4 as LIC version string (bnc#822431).
    BTRFS :

  - btrfs: flush delayed inodes if we are short on space.
    (bnc#801427)

  - btrfs: rework shrink_delalloc. (bnc#801427)

  - btrfs: fix our overcommit math. (bnc#801427)

  - btrfs: delay block group item insertion. (bnc#801427)

  - btrfs: remove bytes argument from do_chunk_alloc.
    (bnc#801427)

  - btrfs: run delayed refs first when out of space.
    (bnc#801427)

  - btrfs: do not commit instead of overcommitting.
    (bnc#801427)

  - btrfs: do not take inode delalloc mutex if we are a free     space inode. (bnc#801427)

  - btrfs: fix chunk allocation error handling. (bnc#801427)

  - btrfs: remove extent mapping if we fail to add chunk.
    (bnc#801427)

  - btrfs: do not overcommit if we do not have enough space     for global rsv. (bnc#801427)

  - btrfs: rework the overcommit logic to be based on the     total size. (bnc#801427)

  - btrfs: steal from global reserve if we are cleaning up     orphans. (bnc#801427)

  - btrfs: clear chunk_alloc flag on retryable failure.
    (bnc#801427)

  - btrfs: use reserved space for creating a snapshot.
    (bnc#801427)

  - btrfs: cleanup to make the function     btrfs_delalloc_reserve_metadata more logic. (bnc#801427)

  - btrfs: fix space leak when we fail to reserve metadata     space. (bnc#801427)

  - btrfs: fix space accounting for unlink and rename.
    (bnc#801427)

  - btrfs: allocate new chunks if the space is not enough     for global rsv. (bnc#801427)

  - btrfs: various abort cleanups. (bnc#812526 / bnc#801427)

  - btrfs: simplify unlink reservations (bnc#801427). XFS :

  - xfs: Move allocation stack switch up to xfs_bmapi.
    (bnc#815356)

  - xfs: introduce XFS_BMAPI_STACK_SWITCH. (bnc#815356)

  - xfs: zero allocation_args on the kernel stack.
    (bnc#815356)

  - xfs: fix debug_object WARN at xfs_alloc_vextent().
    (bnc#815356)

  - xfs: do not defer metadata allocation to the workqueue.
    (bnc#815356)

  - xfs: introduce an allocation workqueue. (bnc#815356)

  - xfs: fix race while discarding buffers [V4] (bnc#815356     (comment 36)).

  - xfs: Serialize file-extending direct IO. (bnc#818371)

  - xfs: Do not allocate new buffers on every call to
    _xfs_buf_find. (bnc#763968)

  - xfs: fix buffer lookup race on allocation failure     (bnc#763968). ALSA :

  - Fix VT1708 jack detection on SLEPOS machines.
    (bnc#813922)

  - ALSA: hda - Avoid choose same converter for unused pins.
    (bnc#826186)

  - ALSA: hda - Cache the MUX selection for generic HDMI.
    (bnc#826186)

  - ALSA: hda - Haswell converter power state D0 verify.
    (bnc#826186)

  - ALSA: hda - Do not take unresponsive D3 transition too     serious. (bnc#823597)

  - ALSA: hda - Introduce bit flags to     snd_hda_codec_read/write(). (bnc#823597)

  - ALSA: hda - Check CORB overflow. (bnc#823597)

  - ALSA: hda - Check validity of CORB/RIRB WP reads.
    (bnc#823597)

  - ALSA: hda - Fix system panic when DMA > 40 bits for     Nvidia audio controllers. (bnc#818465)

  - ALSA: hda - Add hint for suppressing lower cap for IDT     codecs. (bnc#812332)

  - ALSA: hda - Enable mic-mute LED on more HP laptops     (bnc#821859). Direct Rendering Manager (DRM) :

  - drm/i915: Add wait_for in init_ring_common. (bnc#813604)

  - drm/i915: Mark the ringbuffers as being in the GTT     domain. (bnc#813604)

  - drm/edid: Do not print messages regarding stereo or     csync by default. (bnc#821235)

  - drm/i915: force full modeset if the connector is in DPMS     OFF mode. (bnc#809975)

  - drm/i915/sdvo: Use &amp;intel_sdvo->ddc instead of     intel_sdvo->i2c for DDC. (bnc#808855)

  - drm/mm: fix dump table BUG. (bnc#808837)

  - drm/i915: Clear the stolen fb before enabling     (bnc#808015). XEN :

  - xen/netback: Update references. (bnc#823342)

  - xen: Check for insane amounts of requests on the ring.

  - Update Xen patches to 3.0.82.

  - netback: do not disconnect frontend when seeing oversize     packet.

  - netfront: reduce gso_max_size to account for max TCP     header.

  - netfront: fix kABI after 'reduce gso_max_size to account     for max TCP header'. Other :

  - x86, efi: retry ExitBootServices() on failure.
    (bnc#823386)

  - x86/efi: Fix dummy variable buffer allocation.
    (bnc#822080)

  - ext4: avoid hang when mounting non-journal filesystems     with orphan list. (bnc#817377)

  - mm: compaction: Scan PFN caching KABI workaround (Fix     KABI breakage (bnc#825657)).

  - autofs4 - fix get_next_positive_subdir(). (bnc#819523)

  - ocfs2: Add bits_wanted while calculating credits in     ocfs2_calc_extend_credits. (bnc#822077)

  - writeback: Avoid needless scanning of b_dirty list.
    (bnc#819018)

  - writeback: Do not sort b_io list only because of block     device inode. (bnc#819018)

  - re-enable io tracing. (bnc#785901)

  - pciehp: Corrected the old mismatching DMI strings.

  - SUNRPC: Prevent an rpc_task wakeup race. (bnc#825591)

  - tg3: Prevent system hang during repeated EEH errors.
    (bnc#822066)

  - scsi_dh_alua: multipath failover fails with error 15.
    (bnc#825696)

  - Do not switch camera on HP EB 8780. (bnc#797090)

  - Do not switch webcam for HP EB 8580w. (bnc#797090)

  - mm: fixup compilation error due to an asm write through     a const pointer. (bnc#823795)

  - do not switch cam port on HP EliteBook 840. (bnc#822164)

  - net/sunrpc: xpt_auth_cache should be ignored when     expired. (bnc#803320)

  - sunrpc/cache: ensure items removed from cache do not     have pending upcalls. (bnc#803320)

  - sunrpc/cache: remove races with queuing an upcall.
    (bnc#803320)

  - sunrpc/cache: use cache_fresh_unlocked consistently and     correctly. (bnc#803320)

  - KVM: x86: emulate movdqa. (bnc#821070)

  - KVM: x86: emulator: add support for vector alignment.
    (bnc#821070)

  - KVM: x86: emulator: expand decode flags to 64 bits.
    (bnc#821070)

  - xhci - correct comp_mode_recovery_timer on return from     hibernate. (bnc#808136)

  - md/raid10 enough fixes. (bnc#773837)

  - lib/Makefile: Fix oid_registry build dependency.
    (bnc#823223)

  - Update config files: disable IP_PNP. (bnc#822825)

  - Fix kABI breakage for addition of     snd_hda_bus.no_response_fallback. (bnc#823597)

  - Disable efi pstore by default. (bnc#804482 / bnc#820172)

  - md: Fix problem with GET_BITMAP_FILE returning wrong     status. (bnc#812974)

  - bnx2x: Fix bridged GSO for 57710/57711 chips.
    (bnc#819610)

  - USB: xHCI: override bogus bulk wMaxPacketSize values.
    (bnc#823082)

  - BTUSB: Add MediaTek bluetooth MT76x0E support.
    (bnc#797727 / bnc#822340)

  - qlge: Update version to 1.00.00.32. (bnc#819195)

  - qlge: Fix ethtool autoneg advertising. (bnc#819195)

  - qlge: Fix receive path to drop error frames.
    (bnc#819195)

  - qlge: remove NETIF_F_TSO6 flag. (bnc#819195)

  - remove init of dev->perm_addr in drivers. (bnc#819195)

  - drivers/net: fix up function prototypes after __dev*     removals. (bnc#819195)

  - qlge: remove __dev* attributes. (bnc#819195)

  - drivers: ethernet: qlogic: qlge_dbg.c: Fixed a coding     style issue. (bnc#819195)

  - cxgb4: Force uninitialized state if FW_ON_ADAPTER is <     FW_VERSION and we are the MASTER_PF. (bnc#809130)

  - USB: UHCI: fix for suspend of virtual HP controller.
    (bnc#817035)

  - timer_list: Convert timer list to be a proper seq_file.
    (bnc#818047)

  - timer_list: Split timer_list_show_tickdevices.
    (bnc#818047)

  - sched: Fix /proc/sched_debug failure on very very large     systems. (bnc#818047)

  - sched: Fix /proc/sched_stat failure on very very large     systems. (bnc#818047)

  - reiserfs: fix spurious multiple-fill in     reiserfs_readdir_dentry. (bnc#822722)

  - libfc: do not exch_done() on invalid sequence ptr.
    (bnc#810722)

  - netfilter: ip6t_LOG: fix logging of packet mark.
    (bnc#821930)

  - virtio_net: introduce VIRTIO_NET_HDR_F_DATA_VALID.
    (bnc#819655)

  - HWPOISON: fix misjudgement of page_action() for errors     on mlocked pages (Memory failure RAS (bnc#821799)).

  - HWPOISON: check dirty flag to match against clean page     (Memory failure RAS (bnc#821799)).

  - HWPOISON: change order of error_states elements (Memory     failure RAS (bnc#821799)).

  - mm: hwpoison: fix action_result() to print out     dirty/clean (Memory failure RAS (bnc#821799)).

  - mm: mmu_notifier: re-fix freed page still mapped in     secondary MMU. (bnc#821052)

  - Do not switch webcams in some HP ProBooks to XHCI.
    (bnc#805804)

  - Do not switch BT on HP ProBook 4340. (bnc#812281)

  - mm: memory_dev_init make sure nmi watchdog does not     trigger while registering memory sections. (bnc#804609,     bnc#820434)

  - mm: compaction: Restart compaction from near where it     left off

  - mm: compaction: cache if a pageblock was scanned and no     pages were isolated

  - mm: compaction: clear PG_migrate_skip based on     compaction and reclaim activity

  - mm: compaction: Scan PFN caching KABI workaround

  - mm: page_allocator: Remove first_pass guard

  - mm: vmscan: do not stall on writeback during memory     compaction Cache compaction restart points for faster     compaction cycles (bnc#816451)

Multiple vulnerabilities has been found and corrected in the Linux kernel :

The scm_set_cred function in include/net/scm.h in the Linux kernel before 3.8.11 uses incorrect uid and gid values during credentials passing, which allows local users to gain privileges via a crafted application. (CVE-2013-1979)

The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3232)

net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure and a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
(CVE-2013-3235)

The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3234)

The llcp_sock_recvmsg function in net/nfc/llcp/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable and a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3233)

The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3231)

The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
(CVE-2013-3229)

The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
(CVE-2013-3228)

The caif_seqpkt_recvmsg function in net/caif/caif_socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3227)

The rfcomm_sock_recvmsg function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3225)

The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3224)

The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3223)

The vcc_recvmsg function in net/atm/common.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3222)

Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certain Motorola build of Android 4.1.2 and other products, allows local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted /dev/graphics/fb0 mmap2 system calls, as demonstrated by the Motochopper pwn program.
(CVE-2013-2596)

arch/x86/kernel/cpu/perf_event_intel.c in the Linux kernel before 3.8.9, when the Performance Events Subsystem is enabled, specifies an incorrect bitmask, which allows local users to cause a denial of service (general protection fault and system crash) by attempting to set a reserved bit. (CVE-2013-2146)

The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call. (CVE-2013-2094)

The ioapic_read_indirect function in virt/kvm/ioapic.c in the Linux kernel through 3.8.4 does not properly handle a certain combination of invalid IOAPIC_REG_SELECT and IOAPIC_REG_WINDOW operations, which allows guest OS users to obtain sensitive information from host OS memory or cause a denial of service (host OS OOPS) via a crafted application. (CVE-2013-1798)

Use-after-free vulnerability in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 allows guest OS users to cause a denial of service (host OS memory corruption) or possibly have unspecified other impact via a crafted application that triggers use of a guest physical address (GPA) in (1) movable or (2) removable memory during an MSR_KVM_SYSTEM_TIME kvm_set_msr_common operation. (CVE-2013-1797)

The kvm_set_msr_common function in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 does not ensure a required time_page alignment during an MSR_KVM_SYSTEM_TIME operation, which allows guest OS users to cause a denial of service (buffer overflow and host OS memory corruption) or possibly have unspecified other impact via a crafted application. (CVE-2013-1796)

The do_tkill function in kernel/signal.c in the Linux kernel before 3.8.9 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call.
(CVE-2013-2141)

Heap-based buffer overflow in the tg3_read_vpd function in drivers/net/ethernet/broadcom/tg3.c in the Linux kernel before 3.8.6 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via crafted firmware that specifies a long string in the Vital Product Data (VPD) data structure. (CVE-2013-1929)

The main function in tools/hv/hv_kvp_daemon.c in hypervkvpd, as distributed in the Linux kernel before 3.8-rc1, allows local users to cause a denial of service (daemon exit) via a crafted application that sends a Netlink message. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-2669. (CVE-2012-5532)

The udf_encode_fh function in fs/udf/namei.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. (CVE-2012-6548)

The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. (CVE-2012-6549)

net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.
(CVE-2013-2634)

The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux kernel before 3.8.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (CVE-2013-2635)

fs/ext3/super.c in the Linux kernel before 3.8.4 uses incorrect arguments to functions in certain circumstances related to printk input, which allows local users to conduct format-string attacks and possibly gain privileges via a crafted application. (CVE-2013-1848)

The flush_signal_handlers function in kernel/signal.c in the Linux kernel before 3.8.4 preserves the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call. (CVE-2013-0914)

Heap-based buffer overflow in the wdm_in_callback function in drivers/usb/class/cdc-wdm.c in the Linux kernel before 3.8.4 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted cdc-wdm USB device. (CVE-2013-1860)

Race condition in the install_user_keyrings function in security/keys/process_keys.c in the Linux kernel before 3.8.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) via crafted keyctl system calls that trigger keyring operations in simultaneous threads. (CVE-2013-1792)

The report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect C library function for copying strings, which allows local users to obtain sensitive information from kernel stack memory by leveraging the CAP_NET_ADMIN capability.
(CVE-2013-2546)

The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 does not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability. (CVE-2013-2547)

The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect length value during a copy operation, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability. (CVE-2013-2548)

The translate_desc function in drivers/vhost/vhost.c in the Linux kernel before 3.7 does not properly handle cross-region descriptors, which allows guest OS users to obtain host OS privileges by leveraging KVM guest OS privileges. (CVE-2013-0311)

Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag.c in the Linux kernel before 3.7.10 allows local users to gain privileges via a large family value in a Netlink message. (CVE-2013-1763)

The __skb_recv_datagram function in net/core/datagram.c in the Linux kernel before 3.8 does not properly handle the MSG_PEEK flag with zero-length data, which allows local users to cause a denial of service (infinite loop and system hang) via a crafted application.
(CVE-2013-0290)

Use-after-free vulnerability in the shmem_remount_fs function in mm/shmem.c in the Linux kernel before 3.7.10 allows local users to gain privileges or cause a denial of service (system crash) by remounting a tmpfs filesystem without specifying a required mpol (aka mempolicy) mount option. (CVE-2013-1767)

The xen_iret function in arch/x86/xen/xen-asm_32.S in the Linux kernel before 3.7.9 on 32-bit Xen paravirt_ops platforms does not properly handle an invalid value in the DS segment register, which allows guest OS users to gain guest OS privileges via a crafted application.
(CVE-2013-0228)

Memory leak in drivers/net/xen-netback/netback.c in the Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (memory consumption) by triggering certain error conditions. (CVE-2013-0217)

The Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (loop) by triggering ring pointer corruption. (CVE-2013-0216)

The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (CVE-2012-6547)

The updated packages provides a solution for these security issues.

The SUSE Linux Enterprise 11 Service Pack 2 kernel has been updated to Linux kernel 3.0.80 which fixes various bugs and security issues.

The following security issues have been fixed :

  - Timing side channel on attacks were possible on     /dev/ptmx that could allow local attackers to predict     keypresses like e.g. passwords. This has been fixed     again by updating accessed/modified time on the pty     devices in resolution of 8 seconds, so that idle time     detection can still work. (CVE-2013-0160)

  - The vcc_recvmsg function in net/atm/common.c in the     Linux kernel did not initialize a certain length     variable, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3222)

  - The ax25_recvmsg function in net/ax25/af_ax25.c in the     Linux kernel did not initialize a certain data     structure, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3223)

  - The bt_sock_recvmsg function in     net/bluetooth/af_bluetooth.c in the Linux kernel did not     properly initialize a certain length variable, which     allowed local users to obtain sensitive information from     kernel stack memory via a crafted recvmsg or recvfrom     system call. (CVE-2013-3224)

  - The rfcomm_sock_recvmsg function in     net/bluetooth/rfcomm/sock.c in the Linux kernel did not     initialize a certain length variable, which allowed     local users to obtain sensitive information from kernel     stack memory via a crafted recvmsg or recvfrom system     call. (CVE-2013-3225)

  - The caif_seqpkt_recvmsg function in     net/caif/caif_socket.c in the Linux kernel did not     initialize a certain length variable, which allowed     local users to obtain sensitive information from kernel     stack memory via a crafted recvmsg or recvfrom system     call. (CVE-2013-3227)

  - The irda_recvmsg_dgram function in net/irda/af_irda.c in     the Linux kernel did not initialize a certain length     variable, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3228)

  - The iucv_sock_recvmsg function in net/iucv/af_iucv.c in     the Linux kernel did not initialize a certain length     variable, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3229)

  - The llc_ui_recvmsg function in net/llc/af_llc.c in the     Linux kernel did not initialize a certain length     variable, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3231)

  - The nr_recvmsg function in net/netrom/af_netrom.c in the     Linux kernel did not initialize a certain data     structure, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3232)

  - The rose_recvmsg function in net/rose/af_rose.c in the     Linux kernel did not initialize a certain data     structure, which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3234)

  - net/tipc/socket.c in the Linux kernel did not initialize     a certain data structure and a certain length variable,     which allowed local users to obtain sensitive     information from kernel stack memory via a crafted     recvmsg or recvfrom system call. (CVE-2013-3235)

  - The crypto API in the Linux kernel did not initialize     certain length variables, which allowed local users to     obtain sensitive information from kernel stack memory     via a crafted recvmsg or recvfrom system call, related     to the hash_recvmsg function in crypto/algif_hash.c and     the skcipher_recvmsg function in     crypto/algif_skcipher.c. (CVE-2013-3076)

  - The scm_set_cred function in include/net/scm.h in the     Linux kernel used incorrect uid and gid values during     credentials passing, which allowed local users to gain     privileges via a crafted application. (CVE-2013-1979)

  - A kernel information leak via tkill/tgkill was fixed.
    The following bugs have been fixed :

  - reiserfs: fix spurious multiple-fill in     reiserfs_readdir_dentry. (bnc#822722)

  - libfc: do not exch_done() on invalid sequence ptr.
    (bnc#810722)

  - netfilter: ip6t_LOG: fix logging of packet mark.
    (bnc#821930)

  - hyperv: use 3.4 as LIC version string. (bnc#822431)

  - virtio_net: introduce VIRTIO_NET_HDR_F_DATA_VALID.
    (bnc#819655)

  - xen/netback: do not disconnect frontend when seeing     oversize packet.

  - xen/netfront: reduce gso_max_size to account for max TCP     header.

  - xen/netfront: fix kABI after 'reduce gso_max_size to     account for max TCP header'.

  - xfs: Fix kABI due to change in xfs_buf. (bnc#815356)

  - xfs: fix race while discarding buffers [V4] (bnc#815356     (comment 36)).

  - xfs: Serialize file-extending direct IO. (bnc#818371)

  - xhci: Do not switch webcams in some HP ProBooks to XHCI.
    (bnc#805804)

  - bluetooth: Do not switch BT on HP ProBook 4340.
    (bnc#812281)

  - s390/ftrace: fix mcount adjustment. (bnc#809895)

  - mm: memory_dev_init make sure nmi watchdog does not     trigger while registering memory sections. (bnc#804609,     bnc#820434)

  - patches.fixes/xfs-backward-alloc-fix.diff: xfs: Avoid     pathological backwards allocation. (bnc#805945)

  - mm: compaction: Restart compaction from near where it     left off

  - mm: compaction: cache if a pageblock was scanned and no     pages were isolated

  - mm: compaction: clear PG_migrate_skip based on     compaction and reclaim activity

  - mm: compaction: Scan PFN caching KABI workaround

  - mm: page_allocator: Remove first_pass guard

  - mm: vmscan: do not stall on writeback during memory     compaction Cache compaction restart points for faster     compaction cycles. (bnc#816451)

  - qlge: fix dma map leak when the last chunk is not     allocated. (bnc#819519)

  - SUNRPC: Get rid of the redundant xprt->shutdown bit     field. (bnc#800907)

  - SUNRPC: Ensure that we grab the XPRT_LOCK before calling     xprt_alloc_slot. (bnc#800907)

  - SUNRPC: Fix a UDP transport regression. (bnc#800907)

  - SUNRPC: Allow caller of rpc_sleep_on() to select     priority levels. (bnc#800907)

  - SUNRPC: Replace xprt->resend and xprt->sending with a     priority queue. (bnc#800907)

  - SUNRPC: Fix potential races in xprt_lock_write_next().
    (bnc#800907)

  - md: cannot re-add disks after recovery. (bnc#808647)

  - fs/xattr.c:getxattr(): improve handling of allocation     failures. (bnc#818053)

  - fs/xattr.c:listxattr(): fall back to vmalloc() if     kmalloc() failed. (bnc#818053)

  - fs/xattr.c:setxattr(): improve handling of allocation     failures. (bnc#818053)

  - fs/xattr.c: suppress page allocation failure warnings     from sys_listxattr(). (bnc#818053)

  - virtio-blk: Call revalidate_disk() upon online disk     resize. (bnc#817339)

  - usb-storage: CY7C68300A chips do not support Cypress     ATACB. (bnc#819295)

  - patches.kernel.org/patch-3.0.60-61: Update references     (add bnc#810580).

  - usb: Using correct way to clear usb3.0 devices remote     wakeup feature. (bnc#818516)

  - xhci: Fix TD size for isochronous URBs. (bnc#818514)

  - ALSA: hda - fixup D3 pin and right channel mute on     Haswell HDMI audio. (bnc#818798)

  - ALSA: hda - Apply pin-enablement workaround to all     Haswell HDMI codecs. (bnc#818798)

  - xfs: fallback to vmalloc for large buffers in     xfs_attrmulti_attr_get. (bnc#818053)

  - xfs: fallback to vmalloc for large buffers in     xfs_attrlist_by_handle. (bnc#818053)

  - xfs: xfs: fallback to vmalloc for large buffers in     xfs_compat_attrlist_by_handle. (bnc#818053)

  - xHCI: store rings type.

  - xhci: Fix hang on back-to-back Set TR Deq Ptr commands.

  - xHCI: check enqueue pointer advance into dequeue seg.

  - xHCI: store rings last segment and segment numbers.

  - xHCI: Allocate 2 segments for transfer ring.

  - xHCI: count free TRBs on transfer ring.

  - xHCI: factor out segments allocation and free function.

  - xHCI: update sg tablesize.

  - xHCI: set cycle state when allocate rings.

  - xhci: Reserve one command for USB3 LPM disable.

  - xHCI: dynamic ring expansion.

  - xhci: Do not warn on empty ring for suspended devices.

  - md/raid1: Do not release reference to device while     handling read error. (bnc#809122, bnc#814719)

  - rpm/mkspec: Stop generating the get_release_number.sh     file.

  - rpm/kernel-spec-macros: Properly handle KOTD release     numbers with .g suffix.

  - rpm/kernel-spec-macros: Drop the %release_num macro We     no longer put the -rcX tag into the release string.

  - rpm/kernel-*.spec.in, rpm/mkspec: Do not force the     '<RELEASE>' string in specfiles.

  - mm/mmap: check for RLIMIT_AS before unmapping.
    (bnc#818327)

  - mm: Fix add_page_wait_queue() to work for PG_Locked bit     waiters. (bnc#792584)

  - mm: Fix add_page_wait_queue() to work for PG_Locked bit     waiters. (bnc#792584)

  - bonding: only use primary address for ARP. (bnc#815444)

  - bonding: remove entries for master_ip and vlan_ip and     query devices instead. (bnc#815444)

  - mm: speedup in __early_pfn_to_nid. (bnc#810624)

  - TTY: fix atime/mtime regression. (bnc#815745)

  - sd_dif: problem with verify of type 1 protection     information (PI). (bnc#817010)

  - sched: harden rq rt usage accounting. (bnc#769685,     bnc#788590)

  - rcu: Avoid spurious RCU CPU stall warnings. (bnc#816586)

  - rcu: Dump local stack if cannot dump all CPUs stacks.
    (bnc#816586)

  - rcu: Fix detection of abruptly-ending stall.
    (bnc#816586)

  - rcu: Suppress NMI backtraces when stall ends before     dump. (bnc#816586)

  - Update Xen patches to 3.0.74.

  - btrfs: do not re-enter when allocating a chunk.

  - btrfs: save us a read_lock.

  - btrfs: Check CAP_DAC_READ_SEARCH for     BTRFS_IOC_INO_PATHS.

  - btrfs: remove unused fs_info from btrfs_decode_error().

  - btrfs: handle null fs_info in btrfs_panic().

  - btrfs: fix varargs in __btrfs_std_error.

  - btrfs: fix the race between bio and btrfs_stop_workers.

  - btrfs: fix NULL pointer after aborting a transaction.

  - btrfs: fix infinite loop when we abort on mount.

  - xfs: Do not allocate new buffers on every call to
    _xfs_buf_find. (bnc#763968)

  - xfs: fix buffer lookup race on allocation failure.
    (bnc#763968)

An information leak was discovered in the Linux kernel when inotify is used to monitor the /dev/ptmx device. A local user could exploit this flaw to discover keystroke timing and potentially discover sensitive information like password length. (CVE-2013-0160)

An information leak was discovered in the Linux kernel's tkill and tgkill system calls when used from compat processes. A local user could exploit this flaw to examine potentially sensitive kernel memory. (CVE-2013-2141)

A flaw was discovered in the Linux kernel's perf events subsystem for Intel Sandy Bridge and Ivy Bridge processors. A local user could exploit this flaw to cause a denial of service (system crash).
(CVE-2013-2146)

An information leak was discovered in the Linux kernel's crypto API. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3076)

An information leak was discovered in the Linux kernel's rcvmsg path for ATM (Asynchronous Transfer Mode). A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3222)

An information leak was discovered in the Linux kernel's recvmsg path for ax25 address family. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3223)

An information leak was discovered in the Linux kernel's recvmsg path for the bluetooth address family. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3224)

An information leak was discovered in the Linux kernel's bluetooth rfcomm protocol support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3225)

An information leak was discovered in the Linux kernel's CAIF protocol implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3227)

An information leak was discovered in the Linux kernel's IRDA (infrared) support subsystem. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3228)

An information leak was discovered in the Linux kernel's s390 - z/VM support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3229)

An information leak was discovered in the Linux kernel's l2tp (Layer Two Tunneling Protocol) implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3230)

An information leak was discovered in the Linux kernel's llc (Logical Link Layer 2) support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3231)

An information leak was discovered in the Linux kernel's receive message handling for the netrom address family. A local user could exploit this flaw to obtain sensitive information from the kernel's stack memory. (CVE-2013-3232)

An information leak was discovered in the Linux kernel's nfc (near field communication) support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3233)

An information leak was discovered in the Linux kernel's Rose X.25 protocol layer. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3234)

An information leak was discovered in the Linux kernel's TIPC (Transparent Inter Process Communication) protocol implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3235).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An information leak was discovered in the Linux kernel when inotify is used to monitor the /dev/ptmx device. A local user could exploit this flaw to discover keystroke timing and potentially discover sensitive information like password length. (CVE-2013-0160)

A flaw was discovered in the Linux kernel's perf events subsystem for Intel Sandy Bridge and Ivy Bridge processors. A local user could exploit this flaw to cause a denial of service (system crash).
(CVE-2013-2146)

An information leak was discovered in the Linux kernel's crypto API. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3076)

An information leak was discovered in the Linux kernel's rcvmsg path for ATM (Asynchronous Transfer Mode). A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3222)

An information leak was discovered in the Linux kernel's recvmsg path for ax25 address family. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3223)

An information leak was discovered in the Linux kernel's recvmsg path for the bluetooth address family. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3224)

An information leak was discovered in the Linux kernel's bluetooth rfcomm protocol support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3225)

An information leak was discovered in the Linux kernel's CAIF protocol implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3227)

An information leak was discovered in the Linux kernel's IRDA (infrared) support subsystem. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3228)

An information leak was discovered in the Linux kernel's s390 - z/VM support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3229)

An information leak was discovered in the Linux kernel's llc (Logical Link Layer 2) support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3231)

An information leak was discovered in the Linux kernel's receive message handling for the netrom address family. A local user could exploit this flaw to obtain sensitive information from the kernel's stack memory. (CVE-2013-3232)

An information leak was discovered in the Linux kernel's Rose X.25 protocol layer. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3234)

An information leak was discovered in the Linux kernel's TIPC (Transparent Inter Process Communication) protocol implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3235).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An information leak was discovered in the Linux kernel's crypto API. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3076)

An information leak was discovered in the Linux kernel's rcvmsg path for ATM (Asynchronous Transfer Mode). A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3222)

An information leak was discovered in the Linux kernel's recvmsg path for ax25 address family. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3223)

An information leak was discovered in the Linux kernel's recvmsg path for the bluetooth address family. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3224)

An information leak was discovered in the Linux kernel's bluetooth rfcomm protocol support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3225)

An information leak was discovered in the Linux kernel's bluetooth SCO sockets implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3226)

An information leak was discovered in the Linux kernel's CAIF protocol implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3227)

An information leak was discovered in the Linux kernel's IRDA (infrared) support subsystem. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3228)

An information leak was discovered in the Linux kernel's s390 - z/VM support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3229)

An information leak was discovered in the Linux kernel's l2tp (Layer Two Tunneling Protocol) implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3230)

An information leak was discovered in the Linux kernel's llc (Logical Link Layer 2) support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3231)

An information leak was discovered in the Linux kernel's nfc (near field communication) support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3233)

An information leak was discovered in the Linux kernel's Rose X.25 protocol layer. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3234)

An information leak was discovered in the Linux kernel's TIPC (Transparent Inter Process Communication) protocol implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3235).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2013-0160     vladz reported a timing leak with the /dev/ptmx     character device. A local user could use this to     determine sensitive information such as password length.

  - CVE-2013-1796     Andrew Honig of Google reported an issue in the KVM     subsystem. A user in a guest operating system could     corrupt kernel memory, resulting in a denial of service.

  - CVE-2013-1929     Oded Horovitz and Brad Spengler reported an issue in the     device driver for Broadcom Tigon3 based gigabit     Ethernet. Users with the ability to attach untrusted     devices can create an overflow condition, resulting in a     denial of service or elevated privileges.

  - CVE-2013-1979     Andy Lutomirski reported an issue in the socket level     control message processing subsystem. Local users may be     able to gain eleveated privileges.

  - CVE-2013-2015     Theodore Ts'o provided a fix for an issue in the ext4     filesystem. Local users with the ability to mount a     specially crafted filesystem can cause a denial of     service (infinite loop).

  - CVE-2013-2094     Tommie Rantala discovered an issue in the perf     subsystem. An out-of-bounds access vulnerability allows     local users to gain elevated privileges.

  - CVE-2013-3076     Mathias Krause discovered an issue in the userspace     interface for hash algorithms. Local users can gain     access to sensitive kernel memory.

  - CVE-2013-3222     Mathias Krause discovered an issue in the Asynchronous     Transfer Mode (ATM) protocol support. Local users can     gain access to sensitive kernel memory.

  - CVE-2013-3223     Mathias Krause discovered an issue in the Amateur Radio     AX.25 protocol support. Local users can gain access to     sensitive kernel memory.

  - CVE-2013-3224     Mathias Krause discovered an issue in the Bluetooth     subsystem. Local users can gain access to sensitive     kernel memory.

  - CVE-2013-3225     Mathias Krause discovered an issue in the Bluetooth     RFCOMM protocol support. Local users can gain access to     sensitive kernel memory.

  - CVE-2013-3227     Mathias Krause discovered an issue in the Communication     CPU to Application CPU Interface (CAIF). Local users can     gain access to sensitive kernel memory.

  - CVE-2013-3228     Mathias Krause discovered an issue in the IrDA     (infrared) subsystem support. Local users can gain     access to sensitive kernel memory.

  - CVE-2013-3229     Mathias Krause discovered an issue in the IUCV support     on s390 systems. Local users can gain access to     sensitive kernel memory.

  - CVE-2013-3231     Mathias Krause discovered an issue in the ANSI/IEEE     802.2 LLC type 2 protocol support. Local users can gain     access to sensitive kernel memory.

  - CVE-2013-3234     Mathias Krause discovered an issue in the Amateur Radio     X.25 PLP (Rose) protocol support. Local users can gain     access to sensitive kernel memory.

  - CVE-2013-3235     Mathias Krause discovered an issue in the Transparent     Inter Process Communication (TIPC) protocol support.
    Local users can gain access to sensitive kernel memory.

  - CVE-2013-3301     Namhyung Kim reported an issue in the tracing subsystem.
    A privileged local user could cause a denial of service     (system crash). This vulnerabililty is not applicable to     Debian systems by default.

ID	Name	Product	Family	Severity
74878	openSUSE Security Update : kernel (openSUSE-SU-2013:1971-1)	Nessus	SuSE Local Security Checks	high
68954	SuSE 11.3 Security Update : Linux kernel (SAT Patch Numbers 7991 / 7992 / 7994)	Nessus	SuSE Local Security Checks	medium
66975	Mandriva Linux Security Advisory : kernel (MDVSA-2013:176)	Nessus	Mandriva Local Security Checks	high
66912	SuSE 11.2 Security Update : Linux kernel (SAT Patch Numbers 7811 / 7813 / 7814)	Nessus	SuSE Local Security Checks	medium
66904	Ubuntu 12.10 : linux vulnerabilities (USN-1881-1)	Nessus	Ubuntu Local Security Checks	medium
66903	Ubuntu 12.04 LTS : linux-lts-quantal vulnerabilities (USN-1880-1)	Nessus	Ubuntu Local Security Checks	medium
66902	Ubuntu 12.04 LTS : linux vulnerabilities (USN-1878-1)	Nessus	Ubuntu Local Security Checks	medium
66590	Ubuntu 13.04 : linux vulnerabilities (USN-1837-1)	Nessus	Ubuntu Local Security Checks	medium
66486	Debian DSA-2669-1 : linux - privilege escalation/denial of service/information leak	Nessus	Debian Local Security Checks	high

CVE-2013-3227

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins