Advisories ยป MGASA-2014-0043

Updated kernel-linus package fixes multiple vulnerabilities

Publication date: 10 Feb 2014
Modification date: 10 Feb 2014
Type: security
Affected Mageia releases : 3
CVE: CVE-2013-4579 , CVE-2013-4587 , CVE-2013-6367 , CVE-2013-6368 , CVE-2013-6376 , CVE-2013-6382 , CVE-2014-0038 , CVE-2014-1438 , CVE-2014-1446 , CVE-2014-1690

Description

This kernel update provides an update to the 3.10 longterm branch,
currently 3.10.28 and fixes the following security issues:

The ath9k_htc_set_bssid_mask function in 
drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through
3.12 uses a BSSID masking approach to determine the set of MAC addresses
on which a Wi-Fi device is listening, which allows remote attackers to
discover the original MAC address after spoofing by sending a series of
packets to MAC addresses with certain bit manipulations. (CVE-2013-4579)

Array index error in the kvm_vm_ioctl_create_vcpu function in 
virt/kvm/kvm_main.c in the KVM subsystem in the Linux kernel through
3.12.5 allows local users to gain privileges via a large id value
(CVE-2013-4587)

The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM subsystem
in the Linux kernel through 3.12.5 allows guest OS users to cause a denial
of service (divide-by-zero error and host OS crash) via crafted
modifications of the TMICT value. (CVE-2013-6367)

The KVM subsystem in the Linux kernel through 3.12.5 allows local users to
gain privileges or cause a denial of service (system crash) via a VAPIC
synchronization operation involving a page-end address.  (CVE-2013-6368)

The recalculate_apic_map function in arch/x86/kvm/lapic.c in the KVM
subsystem  in the Linux kernel through 3.12.5 allows guest OS users to
cause a denial of service (host OS crash) via a crafted ICR write
operation in x2apic mode. (CVE-2013-6376)

Multiple buffer underflows in the XFS implementation in the Linux kernel
through 3.12.1 allow local users to cause a denial of service (memory
corruption) or possibly have unspecified other impact by leveraging the
CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2)
XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value,
related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c
and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c.
(CVE-2013-6382)

Pageexec reported a bug in the Linux kernel's recvmmsg syscall when called
from code using the x32 ABI. An unprivileged local user could exploit this
flaw to cause a denial of service (system crash) or gain administrator
privileges (CVE-2014-0038)

Faults during task-switch due to unhandled FPU-exceptions allow to
kill processes at random on all affected kernels, resulting in local
DOS in the end. One some architectures, privilege escalation under
non-common circumstances is possible. (CVE-2014-1438)

The hamradio yam_ioctl() code fails to initialise the cmd field of the
struct yamdrv_ioctl_cfg leading to a 4-byte info leak. (CVE-2014-1446)

Linux kernel built with the NetFilter Connection Tracking(NF_CONNTRACK)
support for IRC protocol(NF_NAT_IRC), is vulnerable to an information
leakage flaw. It could occur when communicating over direct
client-to-client IRC connection(/dcc) via a NAT-ed network. Kernel
attempts to mangle IRC TCP packet's content, wherein an uninitialised
'buffer' object is copied to a socket buffer and sent over to the other
end of a connection. (CVE-2014-1690)

For other changes, see the referenced changelogs:

References

SRPMS

3/core