{
  "schema_version": "1.6.2",
  "id": "MGASA-2014-0043",
  "published": "2014-02-10T20:03:47Z",
  "modified": "2014-02-10T20:03:32Z",
  "summary": "Updated kernel-linus package fixes multiple vulnerabilities",
  "details": "This kernel update provides an update to the 3.10 longterm branch,\ncurrently 3.10.28 and fixes the following security issues:\n\nThe ath9k_htc_set_bssid_mask function in \ndrivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through\n3.12 uses a BSSID masking approach to determine the set of MAC addresses\non which a Wi-Fi device is listening, which allows remote attackers to\ndiscover the original MAC address after spoofing by sending a series of\npackets to MAC addresses with certain bit manipulations. (CVE-2013-4579)\n\nArray index error in the kvm_vm_ioctl_create_vcpu function in \nvirt/kvm/kvm_main.c in the KVM subsystem in the Linux kernel through\n3.12.5 allows local users to gain privileges via a large id value\n(CVE-2013-4587)\n\nThe apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM subsystem\nin the Linux kernel through 3.12.5 allows guest OS users to cause a denial\nof service (divide-by-zero error and host OS crash) via crafted\nmodifications of the TMICT value. (CVE-2013-6367)\n\nThe KVM subsystem in the Linux kernel through 3.12.5 allows local users to\ngain privileges or cause a denial of service (system crash) via a VAPIC\nsynchronization operation involving a page-end address.  (CVE-2013-6368)\n\nThe recalculate_apic_map function in arch/x86/kvm/lapic.c in the KVM\nsubsystem  in the Linux kernel through 3.12.5 allows guest OS users to\ncause a denial of service (host OS crash) via a crafted ICR write\noperation in x2apic mode. (CVE-2013-6376)\n\nMultiple buffer underflows in the XFS implementation in the Linux kernel\nthrough 3.12.1 allow local users to cause a denial of service (memory\ncorruption) or possibly have unspecified other impact by leveraging the\nCAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2)\nXFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value,\nrelated to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c\nand the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c.\n(CVE-2013-6382)\n\nPageexec reported a bug in the Linux kernel's recvmmsg syscall when called\nfrom code using the x32 ABI. An unprivileged local user could exploit this\nflaw to cause a denial of service (system crash) or gain administrator\nprivileges (CVE-2014-0038)\n\nFaults during task-switch due to unhandled FPU-exceptions allow to\nkill processes at random on all affected kernels, resulting in local\nDOS in the end. One some architectures, privilege escalation under\nnon-common circumstances is possible. (CVE-2014-1438)\n\nThe hamradio yam_ioctl() code fails to initialise the cmd field of the\nstruct yamdrv_ioctl_cfg leading to a 4-byte info leak. (CVE-2014-1446)\n\nLinux kernel built with the NetFilter Connection Tracking(NF_CONNTRACK)\nsupport for IRC protocol(NF_NAT_IRC), is vulnerable to an information\nleakage flaw. It could occur when communicating over direct\nclient-to-client IRC connection(/dcc) via a NAT-ed network. Kernel\nattempts to mangle IRC TCP packet's content, wherein an uninitialised\n'buffer' object is copied to a socket buffer and sent over to the other\nend of a connection. (CVE-2014-1690)\n\nFor other changes, see the referenced changelogs:\n",
  "related": [
    "CVE-2013-4579",
    "CVE-2013-4587",
    "CVE-2013-6367",
    "CVE-2013-6368",
    "CVE-2013-6376",
    "CVE-2013-6382",
    "CVE-2014-0038",
    "CVE-2014-1438",
    "CVE-2014-1446",
    "CVE-2014-1690"
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://advisories.mageia.org/MGASA-2014-0043.html"
    },
    {
      "type": "REPORT",
      "url": "https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.25"
    },
    {
      "type": "REPORT",
      "url": "https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.26"
    },
    {
      "type": "REPORT",
      "url": "https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.27"
    },
    {
      "type": "REPORT",
      "url": "https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.28"
    },
    {
      "type": "REPORT",
      "url": "https://bugs.mageia.org/show_bug.cgi?id=12518"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Mageia:3",
        "name": "kernel-linus",
        "purl": "pkg:rpm/mageia/kernel-linus?arch=source&distro=mageia-3"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.10.28-1.mga3"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    }
  ],
  "credits": [
    {
      "name": "Mageia",
      "type": "COORDINATOR",
      "contact": [
        "https://wiki.mageia.org/en/Packages_Security_Team"
      ]
    }
  ]
}