ID CVE-2013-1792
Summary Race condition in the install_user_keyrings function in security/keys/process_keys.c in the Linux kernel before 3.8.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) via crafted keyctl system calls that trigger keyring operations in simultaneous threads.
References
Vulnerable Configurations
  • Linux Kernel 3.8.0
    cpe:2.3:o:linux:linux_kernel:3.8.0
  • Linux Kernel 3.8.1
    cpe:2.3:o:linux:linux_kernel:3.8.1
  • Linux Kernel 3.8.2
    cpe:2.3:o:linux:linux_kernel:3.8.2
CVSS
Base: 4.7 (as of 22-03-2013 - 12:54)
Impact:
Exploitability:
CWE CWE-362
CAPEC
  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
nessus via4
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-2520.NASL
    description Description of changes: kernel-uek [2.6.32-400.26.2.el6uek] - mm/hotplug: correctly add new zone to all other nodes' zone lists (Jiang Liu) [Orabug: 16603569] {CVE-2012-5517} - ptrace: ptrace_resume() shouldn't wake up !TASK_TRACED thread (Oleg Nesterov) [Orabug: 16405868] {CVE-2013-0871} - ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL (Oleg Nesterov) [Orabug: 16405868] {CVE-2013-0871} - ptrace: introduce signal_wake_up_state() and ptrace_signal_wake_up() (Oleg Nesterov) [Orabug: 16405868] {CVE-2013-0871} - Bluetooth: Fix incorrect strncpy() in hidp_setup_hid() (Anderson Lizardo) [Orabug: 16711062] {CVE-2013-0349} - dccp: check ccid before dereferencing (Mathias Krause) [Orabug: 16711040] {CVE-2013-1827} - USB: io_ti: Fix NULL dereference in chase_port() (Wolfgang Frisch) [Orabug: 16425435] {CVE-2013-1774} - keys: fix race with concurrent install_user_keyrings() (David Howells) [Orabug: 16493369] {CVE-2013-1792} - KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) (Andy Honig) [Orabug: 16710937] {CVE-2013-1798} - KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) (Jerry Snitselaar) [Orabug: 16710794] {CVE-2013-1796} - net/tun: fix ioctl() based info leaks (Mathias Krause) [Orabug: 16675501] {CVE-2012-6547} - atm: fix info leak via getsockname() (Mathias Krause) [Orabug: 16675501] {CVE-2012-6546} - atm: fix info leak in getsockopt(SO_ATMPVC) (Mathias Krause) [Orabug: 16675501] {CVE-2012-6546} - xfrm_user: fix info leak in copy_to_user_tmpl() (Mathias Krause) [Orabug: 16675501] {CVE-2012-6537} - xfrm_user: fix info leak in copy_to_user_policy() (Mathias Krause) [Orabug: 16675501] {CVE-2012-6537} - xfrm_user: fix info leak in copy_to_user_state() (Mathias Krause) [Orabug: 16675501] {CVE-2013-6537} - xfrm_user: return error pointer instead of NULL #2 (Mathias Krause) [Orabug: 16675501] {CVE-2013-1826} - xfrm_user: return error pointer instead of NULL (Mathias Krause) [Orabug: 16675501] {CVE-2013-1826}
    last seen 2019-02-21
    modified 2015-12-01
    plugin id 68852
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68852
    title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2013-2520)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-3630.NASL
    description This 3.8.2 update fixes contains a wide variety of important fixes including an issue that many users have seen with backlight during resume. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 65183
    published 2013-03-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65183
    title Fedora 18 : kernel-3.8.2-206.fc18 (2013-3630)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2013-176.NASL
    description Multiple vulnerabilities has been found and corrected in the Linux kernel : The scm_set_cred function in include/net/scm.h in the Linux kernel before 3.8.11 uses incorrect uid and gid values during credentials passing, which allows local users to gain privileges via a crafted application. (CVE-2013-1979) The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3232) net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure and a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3235) The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3234) The llcp_sock_recvmsg function in net/nfc/llcp/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable and a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3233) The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3231) The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3229) The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3228) The caif_seqpkt_recvmsg function in net/caif/caif_socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3227) The rfcomm_sock_recvmsg function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3225) The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3224) The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3223) The vcc_recvmsg function in net/atm/common.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3222) Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certain Motorola build of Android 4.1.2 and other products, allows local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted /dev/graphics/fb0 mmap2 system calls, as demonstrated by the Motochopper pwn program. (CVE-2013-2596) arch/x86/kernel/cpu/perf_event_intel.c in the Linux kernel before 3.8.9, when the Performance Events Subsystem is enabled, specifies an incorrect bitmask, which allows local users to cause a denial of service (general protection fault and system crash) by attempting to set a reserved bit. (CVE-2013-2146) The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call. (CVE-2013-2094) The ioapic_read_indirect function in virt/kvm/ioapic.c in the Linux kernel through 3.8.4 does not properly handle a certain combination of invalid IOAPIC_REG_SELECT and IOAPIC_REG_WINDOW operations, which allows guest OS users to obtain sensitive information from host OS memory or cause a denial of service (host OS OOPS) via a crafted application. (CVE-2013-1798) Use-after-free vulnerability in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 allows guest OS users to cause a denial of service (host OS memory corruption) or possibly have unspecified other impact via a crafted application that triggers use of a guest physical address (GPA) in (1) movable or (2) removable memory during an MSR_KVM_SYSTEM_TIME kvm_set_msr_common operation. (CVE-2013-1797) The kvm_set_msr_common function in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 does not ensure a required time_page alignment during an MSR_KVM_SYSTEM_TIME operation, which allows guest OS users to cause a denial of service (buffer overflow and host OS memory corruption) or possibly have unspecified other impact via a crafted application. (CVE-2013-1796) The do_tkill function in kernel/signal.c in the Linux kernel before 3.8.9 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call. (CVE-2013-2141) Heap-based buffer overflow in the tg3_read_vpd function in drivers/net/ethernet/broadcom/tg3.c in the Linux kernel before 3.8.6 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via crafted firmware that specifies a long string in the Vital Product Data (VPD) data structure. (CVE-2013-1929) The main function in tools/hv/hv_kvp_daemon.c in hypervkvpd, as distributed in the Linux kernel before 3.8-rc1, allows local users to cause a denial of service (daemon exit) via a crafted application that sends a Netlink message. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-2669. (CVE-2012-5532) The udf_encode_fh function in fs/udf/namei.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. (CVE-2012-6548) The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. (CVE-2012-6549) net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (CVE-2013-2634) The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux kernel before 3.8.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (CVE-2013-2635) fs/ext3/super.c in the Linux kernel before 3.8.4 uses incorrect arguments to functions in certain circumstances related to printk input, which allows local users to conduct format-string attacks and possibly gain privileges via a crafted application. (CVE-2013-1848) The flush_signal_handlers function in kernel/signal.c in the Linux kernel before 3.8.4 preserves the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call. (CVE-2013-0914) Heap-based buffer overflow in the wdm_in_callback function in drivers/usb/class/cdc-wdm.c in the Linux kernel before 3.8.4 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted cdc-wdm USB device. (CVE-2013-1860) Race condition in the install_user_keyrings function in security/keys/process_keys.c in the Linux kernel before 3.8.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) via crafted keyctl system calls that trigger keyring operations in simultaneous threads. (CVE-2013-1792) The report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect C library function for copying strings, which allows local users to obtain sensitive information from kernel stack memory by leveraging the CAP_NET_ADMIN capability. (CVE-2013-2546) The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 does not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability. (CVE-2013-2547) The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect length value during a copy operation, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability. (CVE-2013-2548) The translate_desc function in drivers/vhost/vhost.c in the Linux kernel before 3.7 does not properly handle cross-region descriptors, which allows guest OS users to obtain host OS privileges by leveraging KVM guest OS privileges. (CVE-2013-0311) Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag.c in the Linux kernel before 3.7.10 allows local users to gain privileges via a large family value in a Netlink message. (CVE-2013-1763) The __skb_recv_datagram function in net/core/datagram.c in the Linux kernel before 3.8 does not properly handle the MSG_PEEK flag with zero-length data, which allows local users to cause a denial of service (infinite loop and system hang) via a crafted application. (CVE-2013-0290) Use-after-free vulnerability in the shmem_remount_fs function in mm/shmem.c in the Linux kernel before 3.7.10 allows local users to gain privileges or cause a denial of service (system crash) by remounting a tmpfs filesystem without specifying a required mpol (aka mempolicy) mount option. (CVE-2013-1767) The xen_iret function in arch/x86/xen/xen-asm_32.S in the Linux kernel before 3.7.9 on 32-bit Xen paravirt_ops platforms does not properly handle an invalid value in the DS segment register, which allows guest OS users to gain guest OS privileges via a crafted application. (CVE-2013-0228) Memory leak in drivers/net/xen-netback/netback.c in the Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (memory consumption) by triggering certain error conditions. (CVE-2013-0217) The Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (loop) by triggering ring pointer corruption. (CVE-2013-0216) The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (CVE-2012-6547) The updated packages provides a solution for these security issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 66975
    published 2013-06-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66975
    title Mandriva Linux Security Advisory : kernel (MDVSA-2013:176)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2014-0287-1.NASL
    description This is a SUSE Linux Enterprise Server 11 SP1 LTSS roll up update to fix a lot of security issues and non-security bugs. The following security bugs have been fixed : CVE-2011-3593: A certain Red Hat patch to the vlan_hwaccel_do_receive function in net/8021q/vlan_core.c in the Linux kernel 2.6.32 on Red Hat Enterprise Linux (RHEL) 6 allows remote attackers to cause a denial of service (system crash) via priority-tagged VLAN frames. (bnc#735347) CVE-2012-1601: The KVM implementation in the Linux kernel before 3.3.6 allows host OS users to cause a denial of service (NULL pointer dereference and host OS crash) by making a KVM_CREATE_IRQCHIP ioctl call after a virtual CPU already exists. (bnc#754898) CVE-2012-2137: Buffer overflow in virt/kvm/irq_comm.c in the KVM subsystem in the Linux kernel before 3.2.24 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to Message Signaled Interrupts (MSI), irq routing entries, and an incorrect check by the setup_routing_entry function before invoking the kvm_set_irq function. (bnc#767612) CVE-2012-2372: The rds_ib_xmit function in net/rds/ib_send.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel 3.7.4 and earlier allows local users to cause a denial of service (BUG_ON and kernel panic) by establishing an RDS connection with the source IP address equal to the IPoIB interfaces own IP address, as demonstrated by rds-ping. (bnc#767610) CVE-2012-2745: The copy_creds function in kernel/cred.c in the Linux kernel before 3.3.2 provides an invalid replacement session keyring to a child process, which allows local users to cause a denial of service (panic) via a crafted application that uses the fork system call. (bnc#770695) CVE-2012-3375: The epoll_ctl system call in fs/eventpoll.c in the Linux kernel before 3.2.24 does not properly handle ELOOP errors in EPOLL_CTL_ADD operations, which allows local users to cause a denial of service (file-descriptor consumption and system crash) via a crafted application that attempts to create a circular epoll dependency. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1083. (bnc#769896) CVE-2012-3412: The sfc (aka Solarflare Solarstorm) driver in the Linux kernel before 3.2.30 allows remote attackers to cause a denial of service (DMA descriptor consumption and network-controller outage) via crafted TCP packets that trigger a small MSS value. (bnc#774523) CVE-2012-3430: The rds_recvmsg function in net/rds/recv.c in the Linux kernel before 3.0.44 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a (1) recvfrom or (2) recvmsg system call on an RDS socket. (bnc#773383) CVE-2012-3511: Multiple race conditions in the madvise_remove function in mm/madvise.c in the Linux kernel before 3.4.5 allow local users to cause a denial of service (use-after-free and system crash) via vectors involving a (1) munmap or (2) close system call. (bnc#776885) CVE-2012-4444: The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel before 2.6.36 allows remote attackers to bypass intended network restrictions via overlapping IPv6 fragments. (bnc#789831) CVE-2012-4530: The load_script function in fs/binfmt_script.c in the Linux kernel before 3.7.2 does not properly handle recursion, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#786013) CVE-2012-4565: The tcp_illinois_info function in net/ipv4/tcp_illinois.c in the Linux kernel before 3.4.19, when the net.ipv4.tcp_congestion_control illinois setting is enabled, allows local users to cause a denial of service (divide-by-zero error and OOPS) by reading TCP stats. (bnc#787576) CVE-2012-6537: net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability. (bnc#809889) CVE-2012-6538: The copy_to_user_auth function in net/xfrm/xfrm_user.c in the Linux kernel before 3.6 uses an incorrect C library function for copying a string, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability. (bnc#809889) CVE-2012-6539: The dev_ifconf function in net/socket.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809891) CVE-2012-6540: The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 3.6 does not initialize a certain structure for IP_VS_SO_GET_TIMEOUT commands, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809892) CVE-2012-6541: The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809893) CVE-2012-6542: The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel before 3.6 has an incorrect return value in certain circumstances, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that leverages an uninitialized pointer argument. (bnc#809894) CVE-2012-6544: The Bluetooth protocol stack in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation. (bnc#809898) CVE-2012-6545: The Bluetooth RFCOMM implementation in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application. (bnc#809899) CVE-2012-6546: The ATM implementation in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809900) CVE-2012-6547: The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809901) CVE-2012-6548: The udf_encode_fh function in fs/udf/namei.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. (bnc#809902) CVE-2012-6549: The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. (bnc#809903) CVE-2013-0160: The Linux kernel through 3.7.9 allows local users to obtain sensitive information about keystroke timing by using the inotify API on the /dev/ptmx device. (bnc#797175) CVE-2013-0216: The Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (loop) by triggering ring pointer corruption. (bnc#800280)(XSA-39) CVE-2013-0231: The pciback_enable_msi function in the PCI backend driver (drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux kernel 2.6.18 and 3.8 allows guest OS users with PCI device access to cause a denial of service via a large number of kernel log messages. NOTE: some of these details are obtained from third-party information. (bnc#801178)(XSA-43) CVE-2013-0268: The msr_open function in arch/x86/kernel/msr.c in the Linux kernel before 3.7.6 allows local users to bypass intended capability restrictions by executing a crafted application as root, as demonstrated by msr32.c. (bnc#802642) CVE-2013-0310: The cipso_v4_validate function in net/ipv4/cipso_ipv4.c in the Linux kernel before 3.4.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an IPOPT_CIPSO IP_OPTIONS setsockopt system call. (bnc#804653) CVE-2013-0343: The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.8 does not properly handle problems with the generation of IPv6 temporary addresses, which allows remote attackers to cause a denial of service (excessive retries and address-generation outage), and consequently obtain sensitive information, via ICMPv6 Router Advertisement (RA) messages. (bnc#805226) CVE-2013-0349: The hidp_setup_hid function in net/bluetooth/hidp/core.c in the Linux kernel before 3.7.6 does not properly copy a certain name field, which allows local users to obtain sensitive information from kernel memory by setting a long name and making an HIDPCONNADD ioctl call. (bnc#805227) CVE-2013-0871: Race condition in the ptrace functionality in the Linux kernel before 3.7.5 allows local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by ptrace_death. (bnc#804154) CVE-2013-0914: The flush_signal_handlers function in kernel/signal.c in the Linux kernel before 3.8.4 preserves the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call. (bnc#808827) CVE-2013-1767: Use-after-free vulnerability in the shmem_remount_fs function in mm/shmem.c in the Linux kernel before 3.7.10 allows local users to gain privileges or cause a denial of service (system crash) by remounting a tmpfs filesystem without specifying a required mpol (aka mempolicy) mount option. (bnc#806138) CVE-2013-1773: Buffer overflow in the VFAT filesystem implementation in the Linux kernel before 3.3 allows local users to gain privileges or cause a denial of service (system crash) via a VFAT write operation on a filesystem with the utf8 mount option, which is not properly handled during UTF-8 to UTF-16 conversion. (bnc#806977) CVE-2013-1774: The chase_port function in drivers/usb/serial/io_ti.c in the Linux kernel before 3.7.4 allows local users to cause a denial of service (NULL pointer dereference and system crash) via an attempted /dev/ttyUSB read or write operation on a disconnected Edgeport USB serial converter. (bnc#806976) CVE-2013-1792: Race condition in the install_user_keyrings function in security/keys/process_keys.c in the Linux kernel before 3.8.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) via crafted keyctl system calls that trigger keyring operations in simultaneous threads. (bnc#808358) CVE-2013-1796: The kvm_set_msr_common function in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 does not ensure a required time_page alignment during an MSR_KVM_SYSTEM_TIME operation, which allows guest OS users to cause a denial of service (buffer overflow and host OS memory corruption) or possibly have unspecified other impact via a crafted application. (bnc#806980) CVE-2013-1797: Use-after-free vulnerability in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 allows guest OS users to cause a denial of service (host OS memory corruption) or possibly have unspecified other impact via a crafted application that triggers use of a guest physical address (GPA) in (1) movable or (2) removable memory during an MSR_KVM_SYSTEM_TIME kvm_set_msr_common operation. (bnc#806980) CVE-2013-1798: The ioapic_read_indirect function in virt/kvm/ioapic.c in the Linux kernel through 3.8.4 does not properly handle a certain combination of invalid IOAPIC_REG_SELECT and IOAPIC_REG_WINDOW operations, which allows guest OS users to obtain sensitive information from host OS memory or cause a denial of service (host OS OOPS) via a crafted application. (bnc#806980) CVE-2013-1827: net/dccp/ccid.h in the Linux kernel before 3.5.4 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a certain (1) sender or (2) receiver getsockopt call. (bnc#811354) CVE-2013-1928: The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linux kernel before 3.6.5 on unspecified architectures lacks a certain error check, which might allow local users to obtain sensitive information from kernel stack memory via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a /dev/dvb device. (bnc#813735) CVE-2013-1943: The KVM subsystem in the Linux kernel before 3.0 does not check whether kernel addresses are specified during allocation of memory slots for use in a guests physical address space, which allows local users to gain privileges or obtain sensitive information from kernel memory via a crafted application, related to arch/x86/kvm/paging_tmpl.h and virt/kvm/kvm_main.c. (bnc#828012) CVE-2013-2015: The ext4_orphan_del function in fs/ext4/namei.c in the Linux kernel before 3.7.3 does not properly handle orphan-list entries for non-journal filesystems, which allows physically proximate attackers to cause a denial of service (system hang) via a crafted filesystem on removable media, as demonstrated by the e2fsprogs tests/f_orphan_extents_inode/image.gz test. (bnc#817377) CVE-2013-2141: The do_tkill function in kernel/signal.c in the Linux kernel before 3.8.9 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call. (bnc#823267) CVE-2013-2147: The HP Smart Array controller disk-array driver and Compaq SMART2 controller disk-array driver in the Linux kernel through 3.9.4 do not initialize certain data structures, which allows local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device, related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c. (bnc#823260) CVE-2013-2164: The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive. (bnc#824295) CVE-2013-2232: The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface. (bnc#827750) CVE-2013-2234: The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket. (bnc#827749) CVE-2013-2237: The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel before 3.9 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket. (bnc#828119) CVE-2013-2634: net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#810473) CVE-2013-2851: Format string vulnerability in the register_disk function in block/genhd.c in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and writing format string specifiers to /sys/module/md_mod/parameters/new_array in order to create a crafted /dev/md device name. (bnc#822575) CVE-2013-2852: Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message. (bnc#822579) CVE-2013-2888: Multiple array index errors in drivers/hid/hid-core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11 allow physically proximate attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted device that provides an invalid Report ID. (bnc#835839) CVE-2013-2889: drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_ZEROPLUS is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device. (bnc#835839) CVE-2013-2892: drivers/hid/hid-pl.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_PANTHERLORD is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device. (bnc#835839) CVE-2013-2893: The Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device, related to (1) drivers/hid/hid-lgff.c, (2) drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c. (bnc#835839) CVE-2013-2897: Multiple array index errors in drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate attackers to cause a denial of service (heap memory corruption, or NULL pointer dereference and OOPS) via a crafted device. (bnc#835839) CVE-2013-2929: The Linux kernel before 3.12.2 does not properly use the get_dumpable function, which allows local users to bypass intended ptrace restrictions or obtain sensitive information from IA64 scratch registers via a crafted application, related to kernel/ptrace.c and arch/ia64/include/asm/processor.h. (bnc#847652) CVE-2013-3222: The vcc_recvmsg function in net/atm/common.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3223: The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3224: The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3225: The rfcomm_sock_recvmsg function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3228: The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3229: The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3231: The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3232: The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3234: The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3235: net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure and a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-4345: Off-by-one error in the get_prng_bytes function in crypto/ansi_cprng.c in the Linux kernel through 3.11.4 makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via multiple requests for small amounts of data, leading to improper management of the state of the consumed data. (bnc#840226) CVE-2013-4470: The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c. (bnc#847672) CVE-2013-4483: The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of service (memory consumption or system crash) via a crafted application. (bnc#848321) CVE-2013-4511: Multiple integer overflows in Alchemy LCD frame-buffer drivers in the Linux kernel before 3.12 allow local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted mmap operations, related to the (1) au1100fb_fb_mmap function in drivers/video/au1100fb.c and the (2) au1200fb_fb_mmap function in drivers/video/au1200fb.c. (bnc#849021) CVE-2013-4587: Array index error in the kvm_vm_ioctl_create_vcpu function in virt/kvm/kvm_main.c in the KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges via a large id value. (bnc#853050) CVE-2013-4588: Multiple stack-based buffer overflows in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 2.6.33, when CONFIG_IP_VS is used, allow local users to gain privileges by leveraging the CAP_NET_ADMIN capability for (1) a getsockopt system call, related to the do_ip_vs_get_ctl function, or (2) a setsockopt system call, related to the do_ip_vs_set_ctl function. (bnc#851095) CVE-2013-4591: Buffer overflow in the __nfs4_get_acl_uncached function in fs/nfs/nfs4proc.c in the Linux kernel before 3.7.2 allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via a getxattr system call for the system.nfs4_acl extended attribute of a pathname on an NFSv4 filesystem. (bnc#851103) CVE-2013-6367: The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via crafted modifications of the TMICT value. (bnc#853051) CVE-2013-6368: The KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges or cause a denial of service (system crash) via a VAPIC synchronization operation involving a page-end address. (bnc#853052) CVE-2013-6378: The lbs_debugfs_write function in drivers/net/wireless/libertas/debugfs.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service (OOPS) by leveraging root privileges for a zero-length write operation. (bnc#852559) CVE-2013-6383: The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call. (bnc#852558) CVE-2014-1444: The fst_get_iface function in drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call. (bnc#858869) CVE-2014-1445: The wanxl_ioctl function in drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an ioctl call. (bnc#858870) CVE-2014-1446: The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call. (bnc#858872) Also the following non-security bugs have been fixed : - x86: Clear HPET configuration registers on startup (bnc#748896). - sched: fix divide by zero in task_utime() (bnc#761774). - sched: Fix pick_next_highest_task_rt() for cgroups (bnc#760596). - mm: hugetlbfs: Close race during teardown of hugetlbfs shared page tables. - mm: hugetlbfs: Correctly detect if page tables have just been shared. (Fix bad PMD message displayed while using hugetlbfs (bnc#762366)). - cpumask: Partition_sched_domains takes array of cpumask_var_t (bnc#812364). - cpumask: Simplify sched_rt.c (bnc#812364). - kabi: protect bind_conflict callback in struct inet_connection_sock_af_ops (bnc#823618). - memcg: fix init_section_page_cgroup pfn alignment (bnc#835481). - tty: fix up atime/mtime mess, take three (bnc#797175). - tty: fix atime/mtime regression (bnc#815745). - ptrace: ptrace_resume() should not wake up !TASK_TRACED thread (bnc#804154). - kbuild: Fix gcc -x syntax (bnc#773831). - ftrace: Disable function tracing during suspend/resume and hibernation, again (bnc#768668). proc: fix pagemap_read() error case (bnc#787573). net: Upgrade device features irrespective of mask (bnc#715250). - tcp: bind() fix autoselection to share ports (bnc#823618). - tcp: bind() use stronger condition for bind_conflict (bnc#823618). - tcp: ipv6: bind() use stronger condition for bind_conflict (bnc#823618). - netfilter: use RCU safe kfree for conntrack extensions (bnc#827416). - netfilter: prevent race condition breaking net reference counting (bnc#835094). - netfilter: send ICMPv6 message on fragment reassembly timeout (bnc#773577). - netfilter: fix sending ICMPv6 on netfilter reassembly timeout (bnc#773577). - tcp_cubic: limit delayed_ack ratio to prevent divide error (bnc#810045). bonding: in balance-rr mode, set curr_active_slave only if it is up (bnc#789648). scsi: Add 'eh_deadline' to limit SCSI EH runtime (bnc#798050). - scsi: Allow error handling timeout to be specified (bnc#798050). - scsi: Fixup compilation warning (bnc#798050). - scsi: Retry failfast commands after EH (bnc#798050). - scsi: Warn on invalid command completion (bnc#798050). - scsi: Always retry internal target error (bnc#745640, bnc#825227). - scsi: kABI fixes (bnc#798050). - scsi: remove check for 'resetting' (bnc#798050). - scsi: Eliminate error handler overload of the SCSI serial number (bnc#798050). - scsi: Reduce error recovery time by reducing use of TURs (bnc#798050). - scsi: Reduce sequential pointer derefs in scsi_error.c and reduce size as well (bnc#798050). - scsi: cleanup setting task state in scsi_error_handler() (bnc#798050). - scsi: fix eh wakeup (scsi_schedule_eh vs scsi_restart_operations) (bnc#798050). scsi: fix id computation in scsi_eh_target_reset() (bnc#798050). advansys: Remove 'last_reset' references (bnc#798050). - dc395: Move 'last_reset' into internal host structure (bnc#798050). - dpt_i2o: Remove DPTI_STATE_IOCTL (bnc#798050). - dpt_i2o: return SCSI_MLQUEUE_HOST_BUSY when in reset (bnc#798050). - fc class: fix scanning when devs are offline (bnc#798050). tmscsim: Move 'last_reset' into host structure (bnc#798050). st: Store page order before driver buffer allocation (bnc#769644). - st: Increase success probability in driver buffer allocation (bnc#769644). st: work around broken __bio_add_page logic (bnc#769644). avoid race by ignoring flush_time in cache_check (bnc#814363). writeback: remove the internal 5% low bound on dirty_ratio - writeback: skip balance_dirty_pages() for in-memory fs (Do not dirty throttle ram-based filesystems (bnc#840858)). writeback: Do not sync data dirtied after sync start (bnc#833820). blkdev_max_block: make private to fs/buffer.c (bnc#820338). - vfs: avoid 'attempt to access beyond end of device' warnings (bnc#820338). vfs: fix O_DIRECT read past end of block device (bnc#820338). lib/radix-tree.c: make radix_tree_node_alloc() work correctly within interrupt (bnc#763463). xfs: allow writeback from kswapd (bnc#826707). - xfs: skip writeback from reclaim context (bnc#826707). - xfs: Serialize file-extending direct IO (bnc#818371). - xfs: Avoid pathological backwards allocation (bnc#805945). xfs: fix inode lookup race (bnc#763463). cifs: clarify the meaning of tcpStatus == CifsGood (bnc#776024). cifs: do not allow cifs_reconnect to exit with NULL socket pointer (bnc#776024). ocfs2: Add a missing journal credit in ocfs2_link_credits() -v2 (bnc#773320). usb: Fix deadlock in hid_reset when Dell iDRAC is reset (bnc#814716). usb: xhci: Fix command completion after a drop endpoint (bnc#807320). netiucv: Hold rtnl between name allocation and device registration (bnc#824159). rwsem: Test for no active locks in __rwsem_do_wake undo code (bnc#813276). nfs: NFSv3/v2: Fix data corruption with NFS short reads (bnc#818337). - nfs: Allow sec=none mounts in certain cases (bnc#795354). - nfs: Make nfsiod a multi-thread queue (bnc#815352). - nfs: increase number of permitted callback connections (bnc#771706). - nfs: Fix Oops in nfs_lookup_revalidate (bnc#780008). - nfs: do not allow TASK_KILLABLE sleeps to block the freezer (bnc#775182). nfs: Avoid race in d_splice_alias and vfs_rmdir (bnc#845028). svcrpc: take lock on turning entry NEGATIVE in cache_check (bnc#803320). - svcrpc: ensure cache_check caller sees updated entry (bnc#803320). - sunrpc/cache: remove races with queuing an upcall (bnc#803320). - sunrpc/cache: use cache_fresh_unlocked consistently and correctly (bnc#803320). - sunrpc/cache: ensure items removed from cache do not have pending upcalls (bnc#803320). - sunrpc/cache: do not schedule update on cache item that has been replaced (bnc#803320). sunrpc/cache: fix test in try_to_negate (bnc#803320). xenbus: fix overflow check in xenbus_dev_write(). - x86: do not corrupt %eip when returning from a signal handler. - scsiback/usbback: move cond_resched() invocations to proper place. netback: fix netbk_count_requests(). dm: add dm_deleting_md function (bnc#785016). - dm: bind new table before destroying old (bnc#785016). - dm: keep old table until after resume succeeded (bnc#785016). dm: rename dm_get_table to dm_get_live_table (bnc#785016). drm/edid: Fix up partially corrupted headers (bnc#780004). drm/edid: Retry EDID fetch up to four times (bnc#780004). i2c-algo-bit: Fix spurious SCL timeouts under heavy load (bnc#780004). hpilo: remove pci_disable_device (bnc#752544). mptsas: handle 'Initializing Command Required' ASCQ (bnc#782178). mpt2sas: Fix race on shutdown (bnc#856917). ipmi: decrease the IPMI message transaction time in interrupt mode (bnc#763654). - ipmi: simplify locking (bnc#763654). ipmi: use a tasklet for handling received messages (bnc#763654). bnx2x: bug fix when loading after SAN boot (bnc#714906). bnx2x: previous driver unload revised (bnc#714906). ixgbe: Address fact that RSC was not setting GSO size for incoming frames (bnc#776144). ixgbe: pull PSRTYPE configuration into a separate function (bnc#780572 bnc#773640 bnc#776144). e1000e: clear REQ and GNT in EECD (82571 && 82572) (bnc#762099). hpsa: do not attempt to read from a write-only register (bnc#777473). aio: Fixup kABI for the aio-implement-request-batching patch (bnc#772849). - aio: bump i_count instead of using igrab (bnc#772849). aio: implement request batching (bnc#772849). Driver core: Do not remove kobjects in device_shutdown (bnc#771992). resources: fix call to alignf() in allocate_resource() (bnc#744955). - resources: when allocate_resource() fails, leave resource untouched (bnc#744955). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-31
    plugin id 83611
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83611
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2014:0287-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1795-1.NASL
    description Andrew Jones discovered a flaw with the xen_iret function in Linux kernel's Xen virtualizeation. In the 32-bit Xen paravirt platform an unprivileged guest OS user could exploit this flaw to cause a denial of service (crash the system) or gain guest OS privilege. (CVE-2013-0228) Emese Revfy discovered that in the Linux kernel signal handlers could leak address information across an exec, making it possible to by pass ASLR (Address Space Layout Randomization). A local user could use this flaw to by pass ASLR to reliably deliver an exploit payload that would otherwise be stopped (by ASLR). (CVE-2013-0914) A memory use after free error was discover in the Linux kernel's tmpfs filesystem. A local user could exploit this flaw to gain privileges or cause a denial of service (system crash). (CVE-2013-1767) Mateusz Guzik discovered a race in the Linux kernel's keyring. A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-1792) Mathias Krause discovered a memory leak in the Linux kernel's crypto report API. A local user with CAP_NET_ADMIN could exploit this leak to examine some of the kernel's stack memory. (CVE-2013-2546) Mathias Krause discovered a memory leak in the Linux kernel's crypto report API. A local user with CAP_NET_ADMIN could exploit this leak to examine some of the kernel's heap memory. (CVE-2013-2547) Mathias Krause discovered information leaks in the Linux kernel's crypto algorithm report API. A local user could exploit these flaws to leak kernel stack and heap memory contents. (CVE-2013-2548). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 65870
    published 2013-04-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65870
    title Ubuntu 12.04 LTS : linux-lts-quantal vulnerabilities (USN-1795-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-3909.NASL
    description Update to Linux v3.8.3. Wide variety of fixes across the tree. Contains reverts from upstream 3.8.3 to fix Intel GM45 graphics. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 65650
    published 2013-03-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65650
    title Fedora 17 : kernel-3.8.3-103.fc17 (2013-3909)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_KERNEL-130426.NASL
    description The SUSE Linux Enterprise 11 SP2 kernel has been updated to 3.0.74 fix various security issues and bugs : This update brings some features : - Updated HD-audio drivers for Nvidia/AMD HDMI and Haswell audio (FATE#314311 FATE#313695) - Lustre enablement patches were added (FATE#314679). - SGI UV (Ultraviolet) platform support. (FATE#306952) Security issues fixed in this update : - The hidp_setup_hid function in net/bluetooth/hidp/core.c in the Linux kernel did not properly copy a certain name field, which allowed local users to obtain sensitive information from kernel memory by setting a long name and making an HIDPCONNADD ioctl call. (CVE-2013-0349) - Buffer overflow in virt/kvm/irq_comm.c in the KVM subsystem in the Linux kernel allowed local users to cause a denial of service (crash) and to possibly execute arbitrary code via vectors related to Message Signaled Interrupts (MSI), irq routing entries, and an incorrect check by the setup_routing_entry function before invoking the kvm_set_irq function. (CVE-2012-2137) - The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory via a crafted application. (CVE-2012-6549) - The udf_encode_fh function in fs/udf/namei.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory via a crafted application. (CVE-2012-6548) - Timing side channel on attacks were possible on /dev/ptmx that could allow local attackers to predict keypresses like e.g. passwords. This has been fixed by not updating accessed/modified time on the pty devices. Note that this might break pty idle detection, so it might get reverted again. (CVE-2013-0160) - The Xen netback functionality in the Linux kernel allowed guest OS users to cause a denial of service (loop) by triggering ring pointer corruption. (CVE-2013-0216) - The pciback_enable_msi function in the PCI backend driver (drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux allowed guest OS users with PCI device access to cause a denial of service via a large number of kernel log messages. (CVE-2013-0231) - The translate_desc function in drivers/vhost/vhost.c in the Linux kernel did not properly handle cross-region descriptors, which allowed guest OS users to obtain host OS privileges by leveraging KVM guest OS privileges. (CVE-2013-0311) - Integer overflow in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the i915 driver in the Direct Rendering Manager (DRM) subsystem in the Linux kernel allowed local users to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted application that triggers many relocation copies, and potentially leads to a race condition. (CVE-2013-0913) - The flush_signal_handlers function in kernel/signal.c in the Linux kernel preserved the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call. (CVE-2013-0914) - Use-after-free vulnerability in the shmem_remount_fs function in mm/shmem.c in the Linux kernel allowed local users to gain privileges or to cause a denial of service (system crash) by remounting a tmpfs filesystem without specifying a required mpol (aka mempolicy) mount option. (CVE-2013-1767) - The log_prefix function in kernel/printk.c in the Linux kernel 3.x did not properly remove a prefix string from a syslog header, which allowed local users to cause a denial of service (buffer overflow and system crash) by leveraging /dev/kmsg write access and triggering a call_console_drivers function call. (CVE-2013-1772) - The chase_port function in drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) via an attempted /dev/ttyUSB read or write operation on a disconnected Edgeport USB serial converter. (CVE-2013-1774) - Race condition in the install_user_keyrings function in security/keys/process_keys.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) via crafted keyctl system calls that trigger keyring operations in simultaneous threads. (CVE-2013-1792) - The kvm_set_msr_common function in arch/x86/kvm/x86.c in the Linux kernel did not ensure a required time_page alignment during an MSR_KVM_SYSTEM_TIME operation, which allowed guest OS users to cause a denial of service (buffer overflow and host OS memory corruption) or possibly have unspecified other impact via a crafted application. (CVE-2013-1796) - Use-after-free vulnerability in arch/x86/kvm/x86.c in the Linux kernel allowed guest OS users to cause a denial of service (host OS memory corruption) or possibly have unspecified other impact via a crafted application that triggers use of a guest physical address (GPA) in (1) movable or (2) removable memory during an MSR_KVM_SYSTEM_TIME kvm_set_msr_common operation. (CVE-2013-1797) - The ioapic_read_indirect function in virt/kvm/ioapic.c in the Linux kernel did not properly handle a certain combination of invalid IOAPIC_REG_SELECT and IOAPIC_REG_WINDOW operations, which allows guest OS users to obtain sensitive information from host OS memory or cause a denial of service (host OS OOPS) via a crafted application. (CVE-2013-1798) - fs/ext3/super.c in the Linux kernel used incorrect arguments to functions in certain circumstances related to printk input, which allowed local users to conduct format-string attacks and possibly gain privileges via a crafted application. (CVE-2013-1848) - Heap-based buffer overflow in the wdm_in_callback function in drivers/usb/class/cdc-wdm.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) or to possibly execute arbitrary code via a crafted cdc-wdm USB device. (CVE-2013-1860) - net/dcb/dcbnl.c in the Linux kernel did not initialize certain structures, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. (CVE-2013-2634) - The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. (CVE-2013-2635) - The msr_open function in arch/x86/kernel/msr.c in the Linux kernel allowed local users to bypass intended capability restrictions by executing a crafted application as root, as demonstrated by msr32.c. (CVE-2013-0268) Bugs fixed in this update : BTRFS : - btrfs: do not try to notify udev about missing devices. - btrfs: add cancellation points to defrag. - btrfs: define BTRFS_MAGIC as a u64 value. - btrfs: make sure NODATACOW also gets NODATASUM set. - btrfs: enforce min_bytes parameter during extent allocation. - btrfs: build up error handling for merge_reloc_roots. - btrfs: free all recorded tree blocks on error . - btrfs: do not BUG_ON in prepare_to_reloc . - btrfs: do not BUG_ON on aborted situation . - btrfs: handle a bogus chunk tree nicely . - btrfs: do not drop path when printing out tree errors in scrub . - btrfs: make subvol creation/deletion killable in the early stages. - btrfs: abort unlink trans in missed error case. - btrfs: fix reada debug code compilation. - btrfs: return error when we specify wrong start to defrag. - btrfs: do not force pages under writeback to finish when aborting. USB : - USB: move usb_translate_errors to 1/usb. (bnc#806908) - USB: add EOPNOTSUPP to usb_translate_errors. (bnc#806908) - USB: cdc-wdm: sanitize error returns. (bnc#806908) - USB: cdc-wdm: cleanup error codes. (bnc#806908) - USB: cdc-wdm: add helper to preserve kABI. (bnc#806908) - USB: Do not use EHCI port sempahore for USB 3.0 hubs. (bnc#807560) - USB: Prepare for refactoring by adding extra udev checks. (bnc#807560) - USB: Rip out recursive call on warm port reset. (bnc#807560) - USB: Fix connected device switch to Inactive state. (bnc#807560) - USB: modify hub to detect unplugs in all states. (bnc#807560) - USB: io_ti: Fix NULL dereference in chase_port(). (bnc#806976, CVE-2013-1774) - USB: cdc-wdm: fix buffer overflow. (bnc#806431) - USB: cdc-wdm: cannot use dev_printk when device is gone. (bnc#806469) - USB: cdc-wdm: fix memory leak. (bnc#806466) - elousb: really long delays for broken devices. (bnc#795269) - xhci: Fix conditional check in bandwidth calculation. (bnc#795961) - xHCI: Fix TD Size calculation on 1.0 hosts. (bnc#795957) - xhci: avoid dead ports, add roothub port polling. (bnc#799197) - USB: Handle warm reset failure on empty port. (bnc#799926) - USB: Ignore port state until reset completes. (bnc#799926) - Allow USB 3.0 ports to be disabled. (bnc#799926) - USB: Ignore xHCI Reset Device status. (bnc#799926) - USB: Handle auto-transition from hot to warm reset (bnc#799926). S/390 : - ipl: Implement diag308 loop for zfcpdump (bnc#801720, LTC#88197). - zcore: Add hsa file (bnc#801720, LTC#88198). - kernel: support physical memory > 4TB (bnc#801720, LTC#88787). - mm: Fix crst upgrade of mmap with MAP_FIXED (bnc#801720, LTC#88797). - Update patches.suse/zcrypt-feed-hwrandom (bnc#806825). Allow zcrypt module unload even when the thread is blocked writing to a full random pool. - dca: check against empty dca_domains list before unregister provider fix. - s390/kvm: Fix store status for ACRS/FPRS fix. - series.conf: disabled patches.arch/s390-64-03-kernel-inc-phys-mem.patch due to excessive kabi break. (bnc#801720) ALSA : - patches.drivers/alsa-sp3-pre-695-Yet-another-fix-for-bro ken-HSW-HDMI-pin: Refresh. Fix the invalid PCI SSID check. (bnc#806404) - ALSA: hda - Support mute LED on HP AiO buttons. (bnc#808991) - ALSA: hda: Allow multple SPDIF controls per codec. (bnc#780977) - ALSA: hda: Virtualize SPDIF out controls. (bnc#780977) - ALSA: hda: Separate generic and non-generic implementations. - ALSA: hda: hdmi_eld_update_pcm_info: update a stream in place. - ALSA: hda: HDMI: Support codecs with fewer cvts than pins. - ALSA: hda - Add snd_hda_get_conn_list() helper function. - ALSA: hda - Add snd_hda_override_conn_list() helper function. - ALSA: hda - Increase the max number of coverters/pins in patch_hdmi.c. (bnc#780977) - ALSA: hda - Check non-snoop in a single place. (bnc#801713) - ALSA: HDA: Use LPIB Position fix for Intel SCH Poulsbo. (bnc#801713) - ALSA: hda_intel: Add Oaktrail identifiers. (bnc#801713) - ALSA: HDA: Use LPIB position fix for Oaktrail. (bnc#801713) - ALSA: hda - add id for Atom Cedar Trail HDMI codec. (bnc#801713) - ALSA: hda - Fix detection of Creative SoundCore3D controllers. (bnc#762424) - ALSA: hda - add power states information in proc. (bnc#801713) - ALSA: hda - Show D3cold state in proc files. (bnc#801713) - ALSA: hda - check supported power states. (bnc#801713) - ALSA: hda - reduce msleep time if EPSS power states supported. (bnc#801713) - ALSA: hda - check proper return value. (bnc#801713) - ALSA: hda - power setting error check. (bnc#801713) - ALSA: hda - Add DeviceID for Haswell HDA. (bnc#801713) - ALSA: hda - add Haswell HDMI codec id. (bnc#801713) - ALSA: hda - Fix driver type of Haswell controller to AZX_DRIVER_SCH. - ALSA: hda - Add new GPU codec ID to snd-hda. (bnc#780977) - ALSA: HDMI - Fix channel_allocation array wrong order. (bnc#801713) - ALSA: hda - Avoid BDL position workaround when no_period_wakeup is set. (bnc#801713) - ALSA: hda - Allow to pass position_fix=0 explicitly. (bnc#801713) - ALSA: hda - Add another pci id for Haswell board. - ALSA: hda - force use of SSYNC bits. (bnc#801713) - ALSA: hda - use LPIB for delay estimation. (bnc#801713) - ALSA: hda - add PCI identifier for Intel 5 Series/3400. (bnc#801713) - ALSA: hda - Add workaround for conflicting IEC958 controls (FATE#314311). - ALSA: hda - Stop LPIB delay counting on broken hardware (FATE#313695). - ALSA: hda - Always turn on pins for HDMI/DP (FATE#313695). - ALSA: hda - bug fix for invalid connection list of Haswell HDMI codec pins (FATE#313695). - ALSA - HDA: New PCI ID for Haswell ULT. (bnc#801713) - ALSA: hda - Release assigned pin/cvt at error path of hdmi_pcm_open(). (bnc#801713) - ALSA: hda - Support rereading widgets under the function group. (bnc#801713) - ALSA: hda - Add fixup for Haswell to enable all pin and convertor widgets. (bnc#801713) - ALSA: hda - Yet another fix for broken HSW HDMI pin connections. (bnc#801713) - patches.kabi/alsa-spdif-update-kabi-fixes: Fix kABI breakage due to HD-audio HDMI updates. (bnc#780977) - ALSA: hda - Fix non-snoop page handling. (bnc#800701) - ALSA: hda - Apply mic-mute LED fixup for new HP laptops. (bnc#796418) - patches.drivers/alsa-sp3-pre-695-Yet-another-fix-for-bro ken-HSW-HDMI-pin: Refresh. Fix a superfluous incremental leading to the double array size. (bnc#808966) XEN : - pciback: notify hypervisor about devices intended to be assigned to guests. - patches.xen/xen-clockevents: Update. (bnc#803712) - patches.xen/xen-ipi-per-cpu-irq: Update. (bnc#803712) - patches.xen/xen3-patch-2.6.19: Update. (bnc#809166) - Update Xen patches to 3.0.68. - Update Xen patches to 3.0.63. - netback: fix netbk_count_requests(). - x86/mm: Check if PUD is large when validating a kerneladdress (bnc#794805). OTHER : - Revert dmi_scan: fix missing check for _DMI_ signature in smbios_present(). - Revert drivers/firmware/dmi_scan.c: fetch dmi version from SMBIOS if it exists. - Revert drivers/firmware/dmi_scan.c: check dmi version when get system uuid. - sysfs: Revert sysfs: fix race between readdir and lseek. (bnc#816443) - 8021q: Revert 8021q: fix a potential use-after-free. - /dev/urandom returning EOF: trim down revert to not change kabi. . (bnc#789359) - tun: reserves space for network in skb. (bnc#803394) - Fixed /dev/urandom returning EOF. (bnc#789359) - mm: Make snapshotting pages for stable writes a per-bio operation - fs: Only enable stable page writes when necessary. (bnc#807517) - patches.drivers/ixgbe-Address-fact-that-RSC-was-not-sett ing-GSO-size.patch: Fix. (bnc#802712) - Fix build error without CONFIG_BOOTSPLASH - Fix bootsplash breakage due to 3.0.67 stable fix. (bnc#813963) - drivers/base/memory.c: fix memory_dev_init() long delay. (bnc#804609) - mtd: drop physmap_configure. (bnc#809375) - Bluetooth: btusb: hide more usb_submit_urb errors. (bnc#812281) - o2dlm: fix NULL pointer dereference in o2dlm_blocking_ast_wrapper. (bnc#806492) - qeth: fix qeth_wait_for_threads() deadlock for OSN devices (bnc#812315, LTC#90910). - Fix NULL pointer dereference in o2dlm_blocking_ast_wrapper. (bnc#806492) - mm: fix ALLOC_WMARK_MASK check. (bnc#808166) - pciehp: Fix dmi match table definition and missing space in printk. (bnc#796412) - fnic: Fix SGEs limit. (bnc#807431) - pciehp: Ignore missing surprise bit on some hosts. (bnc#796412) - ipv6: Queue fragments per interface for multicast/link-local addresses. (bnc#804220) - netfilter: send ICMPv6 message on fragment reassembly timeout. (bnc#773577) - netfilter: fix sending ICMPv6 on netfilter reassembly timeout. (bnc#773577) - jbd: clear revoked flag on buffers before a new transaction started. (bnc#806395) - xfrm6: count extension headers into payload length. (bnc#794513) - mm: page_alloc: Avoid marking zones full prematurely after zone_reclaim() (Evict inactive pages when zone_reclaim is enabled (bnc#808166)). - st: Take additional queue ref in st_probe. (bnc#801038, bnc#788826) - drivers: xhci: fix incorrect bit test. (bnc#714604) - xfrm: remove unused xfrm4_policy_fini(). (bnc#801717) - xfrm: make gc_thresh configurable in all namespaces. (bnc#801717) - kabi: use net_generic to avoid changes in struct net. (bnc#801717) - xfs: Fix WARN_ON(delalloc) in xfs_vm_releasepage(). (bnc#806631) - patches.drivers/alsa-sp2-hda-033-Support-mute-LED-on-HP- AiO-buttons: Refresh tags. - block: use i_size_write() in bd_set_size(). (bnc#809748) - loopdev: fix a deadlock. (bnc#809748) - patches.suse/supported-flag: fix mis-reported supported status. (bnc#809493) - patches.suse/supported-flag-enterprise: Refresh. - KVM: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache_init. (bnc#806980 / CVE-2013-1797) - KVM: Fix bounds checking in ioapic indirect register read. (bnc#806980 / CVE-2013-1798) - KVM: Fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME. (bnc#806980 / CVE-2013-1796) - KVM: introduce kvm_read_guest_cached. (bnc#806980) - x86/numa: Add constraints check for nid parameters (Cope with negative SRAT distances (bnc#807853)). - drm/i915: Periodically sanity check power management. (bnc#808307) - drm/i915: bounds check execbuffer relocation count. (bnc#808829,CVE-2013-0913) - ext3: Fix format string issues. (bnc#809155, CVE-2013-1848) - x86-64: Fix memset() to support sizes of 4Gb and above (Properly initialise memmap on large machines (bnc#802353)). - bdi: allow block devices to say that they require stable page writes - mm: only enforce stable page writes if the backing device requires it - block: optionally snapshot page contents to provide stable pages during write - 9pfs: fix filesystem to wait for stable page writeback - ocfs2: wait for page writeback to provide stable pages - ubifs: wait for page writeback to provide stable pages - Only enable stable page writes when required by underlying BDI. (bnc#807517) - KVM: emulator: drop RPL check from linearize() function. (bnc#754583) - mlx4: Correct calls to to_ib_ah_attr(). (bnc#806847) - DRM/i915: On G45 enable cursor plane briefly after enabling the display plane (bnc#753371) [backported from drm-intel-fixes]. - cxgb4i: Remove the scsi host device when removing device. (bnc#722398) - xprtrdma: The transport should not bug-check when a dup reply is received. (bnc#763494) - tmpfs: fix use-after-free of mempolicy object. (bnc#806138, CVE-2013-1767) - lpfc: Check fc_block_scsi_eh return value correctly for lpfc_abort_handler. (bnc#803674) - md: fix bug in handling of new_data_offset. (bnc#805823) - md: Avoid OOPS when reshaping raid1 to raid0 (Useful OOPS fix). - md: fix two bugs when attempting to resize RAID0 array (Useful BUG() fix). - md: raid0: fix error return from create_stripe_zones (useful bug fix). - ext4: add missing kfree() on error return path in add_new_gdb(). - ext4: Free resources in some error path in ext4_fill_super. - intel_idle: support Haswell (fate#313720). - hp_accel: Add a new PnP ID HPQ6007 for new HP laptops. (bnc#802445) - nfs: Ensure NFS does not block on dead server during unmount. (bnc#794529) - block: disable discard request merge temporarily. (bnc#803067) - mm: mmu_notifier: have mmu_notifiers use a global SRCU so they may safely schedule - mm: mmu_notifier: make the mmu_notifier srcu static - mmu_notifier_unregister NULL pointer deref and multiple ->release() callouts - Have mmu_notifiers use SRCU so they may safely schedule kabi compatability - patches.fixes/Have-mmu_notifiers-use-SRCU-so-they-may-sa fely-schedule.patch : - patches.fixes/Have-mmu_notifiers-use-SRCU-so-they-may-sa fely-schedule-build-fix.patch: Delete, replace with upstream equivalent and add KABI workaround (bnc#578046, bnc#786814, FATE#306952). - ipv6: Do not send packet to big messages to self. (bnc#786150) - hpwdt: Unregister NMI events on exit. (bnc#777746) - x86/mm: Check if PUD is large when validating a kernel address. (bnc#794805) - ata: Fix DVD not dectected at some Haswell platforms. (bnc#792674) - Avoid softlockups in printk. (bnc#744692, bnc#789311) - Do not pack credentials for dying processes. (bnc#779577, bnc#803056) - xfs: punch new delalloc blocks out of failed writes inside EOF. (bnc#761849) - xfs: xfs_sync_data is redundant. (bnc#761849) - Add GPIO support for Intel Centerton SOC. (bnc#792793) - Add Multifunction Device support for Intel Centerton SOC. (bnc#792793) - Add Intel Legacy Block support for Intel Centerton SOC. (bnc#792793) - mm: net: Allow some !SOCK_MEMALLOC traffic through even if skb_pfmemalloc (Allow GPFS network traffic despite PF_MEMALLOC misuse (bnc#786900)). - kernel/resource.c: fix stack overflow in __reserve_region_with_split(). (bnc#801782) - Lustre enablement patches - block: add dev_check_rdonly and friends for Lustre testing (FATE#314679). - dcache: Add DCACHE_LUSTRE_INVALID flag for Lustre to handle its own invalidation (FATE#314679). - lsm: export security_inode_unlink (FATE#315679). - lustre: Add lustre kernel version (FATE#314679). - st: fix memory leak with >1MB tape I/O. (bnc#798921) - cifs: lower default wsize when 1 extensions are not used. (bnc#799578) - ata_generic: Skip is_intel_ider() check when ata_generic=1 is set. (bnc#777616) - quota: autoload the quota_v2 module for QFMT_VFS_V1 quota format. (bnc#802153) - xen: properly bound buffer access when parsing cpu/availability. - netback: shutdown the ring if it contains garbage (CVE-2013-0216 XSA-39 bnc#800280). - netback: correct netbk_tx_err() to handle wrap around (CVE-2013-0216 XSA-39 bnc#800280). - pciback: rate limit error message from pciback_enable_msi() (CVE-2013-0231 XSA-43 bnc#801178). - scsiback/usbback: move cond_resched() invocations to proper place. - drm/i915: Implement workaround for broken CS tlb on i830/845. (bnc#758040) - drivers: scsi: storvsc: Initialize the sglist. - e1000e: 82571 Fix Tx Data Corruption during Tx hang recovery. (bnc#790867) - KVM: Fix buffer overflow in kvm_set_irq(). (bnc#767612 / CVE-2012-2137) - mm: compaction: Abort async compaction if locks are contended or taking too long. - mm: compaction: abort compaction loop if lock is contended or run too long. - mm: compaction: acquire the zone->lock as late as possible. - mm: compaction: acquire the zone->lru_lock as late as possible. - mm: compaction: move fatal signal check out of compact_checklock_irqsave. Reduce LRU and zone lock contention when compacting memory for THP. (bnc#796823)
    last seen 2019-02-21
    modified 2014-08-20
    plugin id 66344
    published 2013-05-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66344
    title SuSE 11.2 Security Update : Linux kernel (SAT Patch Numbers 7667 / 7669 / 7675)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1788-1.NASL
    description Emese Revfy discovered that in the Linux kernel signal handlers could leak address information across an exec, making it possible to bypass ASLR (Address Space Layout Randomization). A local user could use this flaw to bypass ASLR to reliably deliver an exploit payload that would otherwise be stopped (by ASLR). (CVE-2013-0914) A memory use after free error was discovered in the Linux kernel's tmpfs filesystem. A local user could exploit this flaw to gain privileges or cause a denial of service (system crash). (CVE-2013-1767) Mateusz Guzik discovered a race in the Linux kernel's keyring. A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-1792). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 65800
    published 2013-04-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65800
    title Ubuntu 10.04 LTS : linux-lts-backport-oneiric vulnerabilities (USN-1788-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1787-1.NASL
    description Emese Revfy discovered that in the Linux kernel signal handlers could leak address information across an exec, making it possible to bypass ASLR (Address Space Layout Randomization). A local user could use this flaw to by pass ASLR to reliably deliver an exploit payload that would otherwise be stopped (by ASLR). (CVE-2013-0914) A memoery use after free error was discover in the Linux kernel's tmpfs filesystem. A local user could exploit this flaw to gain privileges or cause a denial of service (system crash). (CVE-2013-1767) Mateusz Guzik discovered a race in the Linux kernel's keyring. A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-1792). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 65788
    published 2013-04-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65788
    title Ubuntu 11.10 : linux vulnerabilities (USN-1787-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1796-1.NASL
    description Andrew Jones discovered a flaw with the xen_iret function in Linux kernel's Xen virtualizeation. In the 32-bit Xen paravirt platform an unprivileged guest OS user could exploit this flaw to cause a denial of service (crash the system) or gain guest OS privilege. (CVE-2013-0228) Emese Revfy discovered that in the Linux kernel signal handlers could leak address information across an exec, making it possible to by pass ASLR (Address Space Layout Randomization). A local user could use this flaw to by pass ASLR to reliably deliver an exploit payload that would otherwise be stopped (by ASLR). (CVE-2013-0914) A memory use after free error was discover in the Linux kernel's tmpfs filesystem. A local user could exploit this flaw to gain privileges or cause a denial of service (system crash). (CVE-2013-1767) Mateusz Guzik discovered a race in the Linux kernel's keyring. A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-1792) Mathias Krause discovered a memory leak in the Linux kernel's crypto report API. A local user with CAP_NET_ADMIN could exploit this leak to examine some of the kernel's stack memory. (CVE-2013-2546) Mathias Krause discovered a memory leak in the Linux kernel's crypto report API. A local user with CAP_NET_ADMIN could exploit this leak to examine some of the kernel's heap memory. (CVE-2013-2547) Mathias Krause discovered information leaks in the Linux kernel's crypto algorithm report API. A local user could exploit these flaws to leak kernel stack and heap memory contents. (CVE-2013-2548). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 65871
    published 2013-04-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65871
    title Ubuntu 12.10 : linux vulnerabilities (USN-1796-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1798-1.NASL
    description Mathias Krause discovered several errors in the Linux kernel's xfrm_user implementation. A local attacker could exploit these flaws to examine parts of kernel memory. (CVE-2012-6537) Mathias Krause discovered information leak in the Linux kernel's compat ioctl interface. A local user could exploit the flaw to examine parts of kernel stack memory (CVE-2012-6539) Mathias Krause discovered an information leak in the Linux kernel's getsockopt for IP_VS_SO_GET_TIMEOUT. A local user could exploit this flaw to examine parts of kernel stack memory. (CVE-2012-6540) Emese Revfy discovered that in the Linux kernel signal handlers could leak address information across an exec, making it possible to by pass ASLR (Address Space Layout Randomization). A local user could use this flaw to by pass ASLR to reliably deliver an exploit payload that would otherwise be stopped (by ASLR). (CVE-2013-0914) A memory use after free error was discover in the Linux kernel's tmpfs filesystem. A local user could exploit this flaw to gain privileges or cause a denial of service (system crash). (CVE-2013-1767) Mateusz Guzik discovered a race in the Linux kernel's keyring. A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-1792). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 65872
    published 2013-04-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65872
    title Ubuntu 10.04 LTS : linux-ec2 vulnerabilities (USN-1798-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20130423_KERNEL_ON_SL6_X.NASL
    description * An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the Intel i915 driver in the Linux kernel handled the allocation of the buffer used for relocation copies. A local user with console access could use this flaw to cause a denial of service or escalate their privileges. (CVE-2013-0913, Important) * A buffer overflow flaw was found in the way UTF-8 characters were converted to UTF-16 in the utf8s_to_utf16s() function of the Linux kernel's FAT file system implementation. A local user able to mount a FAT file system with the 'utf8=1' option could use this flaw to crash the system or, potentially, to escalate their privileges. (CVE-2013-1773, Important) * A flaw was found in the way KVM handled guest time updates when the buffer the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) crossed a page boundary. A privileged guest user could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the host kernel level. (CVE-2013-1796, Important) * A potential use-after-free flaw was found in the way KVM handled guest time updates when the GPA (guest physical address) the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) fell into a movable or removable memory region of the hosting user-space process (by default, QEMU-KVM) on the host. If that memory region is deregistered from KVM using KVM_SET_USER_MEMORY_REGION and the allocated virtual memory reused, a privileged guest user could potentially use this flaw to escalate their privileges on the host. (CVE-2013-1797, Important) * A flaw was found in the way KVM emulated IOAPIC (I/O Advanced Programmable Interrupt Controller). A missing validation check in the ioapic_read_indirect() function could allow a privileged guest user to crash the host, or read a substantial portion of host kernel memory. (CVE-2013-1798, Important) * A race condition in install_user_keyrings(), leading to a NULL pointer dereference, was found in the key management facility. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2013-1792, Moderate) * A NULL pointer dereference in the XFRM implementation could allow a local user who has the CAP_NET_ADMIN capability to cause a denial of service. (CVE-2013-1826, Moderate) * A NULL pointer dereference in the Datagram Congestion Control Protocol (DCCP) implementation could allow a local user to cause a denial of service. (CVE-2013-1827, Moderate) * Information leak flaws in the XFRM implementation could allow a local user who has the CAP_NET_ADMIN capability to leak kernel stack memory to user-space. (CVE-2012-6537, Low) * Two information leak flaws in the Asynchronous Transfer Mode (ATM) subsystem could allow a local, unprivileged user to leak kernel stack memory to user-space. (CVE-2012-6546, Low) * An information leak was found in the TUN/TAP device driver in the networking implementation. A local user with access to a TUN/TAP virtual interface could use this flaw to leak kernel stack memory to user-space. (CVE-2012-6547, Low) * An information leak in the Bluetooth implementation could allow a local user who has the CAP_NET_ADMIN capability to leak kernel stack memory to user-space. (CVE-2013-0349, Low) * A use-after-free flaw was found in the tmpfs implementation. A local user able to mount and unmount a tmpfs file system could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2013-1767, Low) * A NULL pointer dereference was found in the Linux kernel's USB Inside Out Edgeport Serial Driver implementation. An attacker with physical access to a system could use this flaw to cause a denial of service. (CVE-2013-1774, Low)
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 66214
    published 2013-04-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66214
    title Scientific Linux Security Update : kernel on SL6.x i386/x86_64
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-0744.NASL
    description Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Security : * An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the Intel i915 driver in the Linux kernel handled the allocation of the buffer used for relocation copies. A local user with console access could use this flaw to cause a denial of service or escalate their privileges. (CVE-2013-0913, Important) * A buffer overflow flaw was found in the way UTF-8 characters were converted to UTF-16 in the utf8s_to_utf16s() function of the Linux kernel's FAT file system implementation. A local user able to mount a FAT file system with the 'utf8=1' option could use this flaw to crash the system or, potentially, to escalate their privileges. (CVE-2013-1773, Important) * A flaw was found in the way KVM handled guest time updates when the buffer the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) crossed a page boundary. A privileged guest user could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the host kernel level. (CVE-2013-1796, Important) * A potential use-after-free flaw was found in the way KVM handled guest time updates when the GPA (guest physical address) the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) fell into a movable or removable memory region of the hosting user-space process (by default, QEMU-KVM) on the host. If that memory region is deregistered from KVM using KVM_SET_USER_MEMORY_REGION and the allocated virtual memory reused, a privileged guest user could potentially use this flaw to escalate their privileges on the host. (CVE-2013-1797, Important) * A flaw was found in the way KVM emulated IOAPIC (I/O Advanced Programmable Interrupt Controller). A missing validation check in the ioapic_read_indirect() function could allow a privileged guest user to crash the host, or read a substantial portion of host kernel memory. (CVE-2013-1798, Important) * A race condition in install_user_keyrings(), leading to a NULL pointer dereference, was found in the key management facility. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2013-1792, Moderate) * A NULL pointer dereference in the XFRM implementation could allow a local user who has the CAP_NET_ADMIN capability to cause a denial of service. (CVE-2013-1826, Moderate) * A NULL pointer dereference in the Datagram Congestion Control Protocol (DCCP) implementation could allow a local user to cause a denial of service. (CVE-2013-1827, Moderate) * Information leak flaws in the XFRM implementation could allow a local user who has the CAP_NET_ADMIN capability to leak kernel stack memory to user-space. (CVE-2012-6537, Low) * Two information leak flaws in the Asynchronous Transfer Mode (ATM) subsystem could allow a local, unprivileged user to leak kernel stack memory to user-space. (CVE-2012-6546, Low) * An information leak was found in the TUN/TAP device driver in the networking implementation. A local user with access to a TUN/TAP virtual interface could use this flaw to leak kernel stack memory to user-space. (CVE-2012-6547, Low) * An information leak in the Bluetooth implementation could allow a local user who has the CAP_NET_ADMIN capability to leak kernel stack memory to user-space. (CVE-2013-0349, Low) * A use-after-free flaw was found in the tmpfs implementation. A local user able to mount and unmount a tmpfs file system could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2013-1767, Low) * A NULL pointer dereference was found in the Linux kernel's USB Inside Out Edgeport Serial Driver implementation. An attacker with physical access to a system could use this flaw to cause a denial of service. (CVE-2013-1774, Low) Red Hat would like to thank Andrew Honig of Google for reporting CVE-2013-1796, CVE-2013-1797, and CVE-2013-1798. CVE-2013-1792 was discovered by Mateusz Guzik of Red Hat EMEA GSS SEG Team.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 66204
    published 2013-04-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66204
    title CentOS 6 : kernel (CESA-2013:0744)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-0829.NASL
    description Updated kernel-rt packages that fix several security issues and multiple bugs are now available for Red Hat Enterprise MRG 2.3. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Security fixes : * It was found that the kernel-rt update RHBA-2012:0044 introduced an integer conversion issue in the Linux kernel's Performance Events implementation. This led to a user-supplied index into the perf_swevent_enabled array not being validated properly, resulting in out-of-bounds kernel memory access. A local, unprivileged user could use this flaw to escalate their privileges. (CVE-2013-2094, Important) A public exploit for CVE-2013-2094 that affects Red Hat Enterprise MRG 2 is available. Refer to Red Hat Knowledge Solution 373743, linked to in the References, for further information and mitigation instructions for users who are unable to immediately apply this update. * An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the Intel i915 driver in the Linux kernel handled the allocation of the buffer used for relocation copies. A local user with console access could use this flaw to cause a denial of service or escalate their privileges. (CVE-2013-0913, Important) * It was found that the Linux kernel used effective user and group IDs instead of real ones when passing messages with SCM_CREDENTIALS ancillary data. A local, unprivileged user could leverage this flaw with a set user ID (setuid) application, allowing them to escalate their privileges. (CVE-2013-1979, Important) * A race condition in install_user_keyrings(), leading to a NULL pointer dereference, was found in the key management facility. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2013-1792, Moderate) * A NULL pointer dereference flaw was found in the Linux kernel's XFS file system implementation. A local user who is able to mount an XFS file system could use this flaw to cause a denial of service. (CVE-2013-1819, Moderate) * An information leak was found in the Linux kernel's POSIX signals implementation. A local, unprivileged user could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature. (CVE-2013-0914, Low) * A use-after-free flaw was found in the tmpfs implementation. A local user able to mount and unmount a tmpfs file system could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2013-1767, Low) * A NULL pointer dereference flaw was found in the Linux kernel's USB Inside Out Edgeport Serial Driver implementation. A local user with physical access to a system and with access to a USB device's tty file could use this flaw to cause a denial of service. (CVE-2013-1774, Low) * A format string flaw was found in the ext3_msg() function in the Linux kernel's ext3 file system implementation. A local user who is able to mount an ext3 file system could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2013-1848, Low) * A heap-based buffer overflow flaw was found in the Linux kernel's cdc-wdm driver, used for USB CDC WCM device management. An attacker with physical access to a system could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2013-1860, Low) * A heap-based buffer overflow in the way the tg3 Ethernet driver parsed the vital product data (VPD) of devices could allow an attacker with physical access to a system to cause a denial of service or, potentially, escalate their privileges. (CVE-2013-1929, Low) * Information leaks in the Linux kernel's cryptographic API could allow a local user who has the CAP_NET_ADMIN capability to leak kernel stack memory to user-space. (CVE-2013-2546, CVE-2013-2547, CVE-2013-2548, Low) * Information leaks in the Linux kernel could allow a local, unprivileged user to leak kernel stack memory to user-space. (CVE-2013-2634, CVE-2013-2635, CVE-2013-3076, CVE-2013-3222, CVE-2013-3224, CVE-2013-3225, CVE-2013-3231, Low) Red Hat would like to thank Andy Lutomirski for reporting CVE-2013-1979. CVE-2013-1792 was discovered by Mateusz Guzik of Red Hat EMEA GSS SEG Team.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 76660
    published 2014-07-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76660
    title RHEL 6 : MRG (RHSA-2013:0829)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-0744.NASL
    description Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Security : * An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the Intel i915 driver in the Linux kernel handled the allocation of the buffer used for relocation copies. A local user with console access could use this flaw to cause a denial of service or escalate their privileges. (CVE-2013-0913, Important) * A buffer overflow flaw was found in the way UTF-8 characters were converted to UTF-16 in the utf8s_to_utf16s() function of the Linux kernel's FAT file system implementation. A local user able to mount a FAT file system with the 'utf8=1' option could use this flaw to crash the system or, potentially, to escalate their privileges. (CVE-2013-1773, Important) * A flaw was found in the way KVM handled guest time updates when the buffer the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) crossed a page boundary. A privileged guest user could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the host kernel level. (CVE-2013-1796, Important) * A potential use-after-free flaw was found in the way KVM handled guest time updates when the GPA (guest physical address) the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) fell into a movable or removable memory region of the hosting user-space process (by default, QEMU-KVM) on the host. If that memory region is deregistered from KVM using KVM_SET_USER_MEMORY_REGION and the allocated virtual memory reused, a privileged guest user could potentially use this flaw to escalate their privileges on the host. (CVE-2013-1797, Important) * A flaw was found in the way KVM emulated IOAPIC (I/O Advanced Programmable Interrupt Controller). A missing validation check in the ioapic_read_indirect() function could allow a privileged guest user to crash the host, or read a substantial portion of host kernel memory. (CVE-2013-1798, Important) * A race condition in install_user_keyrings(), leading to a NULL pointer dereference, was found in the key management facility. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2013-1792, Moderate) * A NULL pointer dereference in the XFRM implementation could allow a local user who has the CAP_NET_ADMIN capability to cause a denial of service. (CVE-2013-1826, Moderate) * A NULL pointer dereference in the Datagram Congestion Control Protocol (DCCP) implementation could allow a local user to cause a denial of service. (CVE-2013-1827, Moderate) * Information leak flaws in the XFRM implementation could allow a local user who has the CAP_NET_ADMIN capability to leak kernel stack memory to user-space. (CVE-2012-6537, Low) * Two information leak flaws in the Asynchronous Transfer Mode (ATM) subsystem could allow a local, unprivileged user to leak kernel stack memory to user-space. (CVE-2012-6546, Low) * An information leak was found in the TUN/TAP device driver in the networking implementation. A local user with access to a TUN/TAP virtual interface could use this flaw to leak kernel stack memory to user-space. (CVE-2012-6547, Low) * An information leak in the Bluetooth implementation could allow a local user who has the CAP_NET_ADMIN capability to leak kernel stack memory to user-space. (CVE-2013-0349, Low) * A use-after-free flaw was found in the tmpfs implementation. A local user able to mount and unmount a tmpfs file system could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2013-1767, Low) * A NULL pointer dereference was found in the Linux kernel's USB Inside Out Edgeport Serial Driver implementation. An attacker with physical access to a system could use this flaw to cause a denial of service. (CVE-2013-1774, Low) Red Hat would like to thank Andrew Honig of Google for reporting CVE-2013-1796, CVE-2013-1797, and CVE-2013-1798. CVE-2013-1792 was discovered by Mateusz Guzik of Red Hat EMEA GSS SEG Team.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 66192
    published 2013-04-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66192
    title RHEL 6 : kernel (RHSA-2013:0744)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-113.NASL
    description The Linux kernel was updated to fix various bugs and security issues : - mm/page-writeback.c: do not count anon pages as dirtyable memory (reclaim stalls). - mm/page-writeback.c: fix dirty_balance_reserve subtraction from dirtyable memory (reclaim stalls). - compat_sys_recvmmsg X32 fix (bnc#860993 CVE-2014-0038). - hwmon: (coretemp) Fix truncated name of alarm attributes - net: fib: fib6_add: fix potential NULL pointer dereference (bnc#854173 CVE-2013-6431). - keys: fix race with concurrent install_user_keyrings() (bnc#808358)(CVE-2013-1792). - KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368) (bnc#853052 CVE-2013-6368). - wireless: radiotap: fix parsing buffer overrun (bnc#854634 CVE-2013-7027). - KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376) (bnc#853053 CVE-2013-6376). - KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) (bnc#853051 CVE-2013-6367). - KVM: Improve create VCPU parameter (CVE-2013-4587) (bnc#853050 CVE-2013-4587). - staging: ozwpan: prevent overflow in oz_cdev_write() (bnc#849023 CVE-2013-4513). - perf/x86: Fix offcore_rsp valid mask for SNB/IVB (bnc#825006). - perf/x86: Add Intel IvyBridge event scheduling constraints (bnc#825006). - libertas: potential oops in debugfs (bnc#852559 CVE-2013-6378). - aacraid: prevent invalid pointer dereference (bnc#852373 CVE-2013-6380). - staging: wlags49_h2: buffer overflow setting station name (bnc#849029 CVE-2013-4514). - net: flow_dissector: fail on evil iph->ihl (bnc#848079 CVE-2013-4348). - Staging: bcm: info leak in ioctl (bnc#849034 CVE-2013-4515). - Refresh patches.fixes/net-rework-recvmsg-handler-msg_name-and-ms g_namelen-logic.patch. - ipv6: remove max_addresses check from ipv6_create_tempaddr (bnc#805226, CVE-2013-0343). - net: rework recvmsg handler msg_name and msg_namelen logic (bnc#854722). - crypto: ansi_cprng - Fix off by one error in non-block size request (bnc#840226). - x6: Fix reserve_initrd so that acpi_initrd_override is reached (bnc#831836). - Refresh other Xen patches. - aacraid: missing capable() check in compat ioctl (bnc#852558). - patches.fixes/gpio-ich-fix-ichx_gpio_check_available-ret urn.patch: Update upstream reference - perf/ftrace: Fix paranoid level for enabling function tracer (bnc#849362). - xhci: fix NULL pointer dereference on ring_doorbell_for_active_rings (bnc#848255). - xhci: Fix oops happening after address device timeout (bnc#848255). - xhci: Ensure a command structure points to the correct trb on the command ring (bnc#848255). - patches.arch/iommu-vt-d-remove-stack-trace-from-broken-i rq-remapping-warning.patch: Update upstream reference. - Allow NFSv4 username mapping to work properly (bnc#838024). - Refresh btrfs attribute publishing patchset to match openSUSE-13.1 No user-visible changes, but uses kobj_sysfs_ops and better kobject lifetime management. - Fix a few incorrectly checked [io_]remap_pfn_range() calls (bnc#849021, CVE-2013-4511). - drm/radeon: don't set hpd, afmt interrupts when interrupts are disabled. - patches.fixes/cifs-fill-TRANS2_QUERY_FILE_INFO-ByteCount -fields.patch: Fix TRANS2_QUERY_FILE_INFO ByteCount fields (bnc#804950). - iommu: Remove stack trace from broken irq remapping warning (bnc#844513). - Disable patches related to bnc#840656 patches.suse/btrfs-cleanup-don-t-check-the-same-thing-tw ice patches.suse/btrfs-0220-fix-for-patch-cleanup-don-t-chec k-the-same-thi.patch - btrfs: use feature attribute names to print better error messages. - btrfs: add ability to change features via sysfs. - btrfs: add publishing of unknown features in sysfs. - btrfs: publish per-super features to sysfs. - btrfs: add per-super attributes to sysfs. - btrfs: export supported featured to sysfs. - kobject: introduce kobj_completion. - btrfs: add ioctls to query/change feature bits online. - btrfs: use btrfs_commit_transaction when setting fslabel. - x86/iommu/vt-d: Expand interrupt remapping quirk to cover x58 chipset (bnc#844513). - NFSv4: Fix issues in nfs4_discover_server_trunking (bnc#811746). - iommu/vt-d: add quirk for broken interrupt remapping on 55XX chipsets (bnc#844513).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75251
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75251
    title openSUSE Security Update : kernel (openSUSE-SU-2014:0204-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-2525.NASL
    description The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).
    last seen 2019-02-21
    modified 2015-12-01
    plugin id 68855
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68855
    title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2013-2525)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1793-1.NASL
    description Emese Revfy discovered that in the Linux kernel signal handlers could leak address information across an exec, making it possible to by pass ASLR (Address Space Layout Randomization). A local user could use this flaw to by pass ASLR to reliably deliver an exploit payload that would otherwise be stopped (by ASLR). (CVE-2013-0914) A memory use after free error was discover in the Linux kernel's tmpfs filesystem. A local user could exploit this flaw to gain privileges or cause a denial of service (system crash). (CVE-2013-1767) Mateusz Guzik discovered a race in the Linux kernel's keyring. A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-1792) Mathias Krause discovered a memory leak in the Linux kernel's crypto report API. A local user with CAP_NET_ADMIN could exploit this leak to examine some of the kernel's stack memory. (CVE-2013-2546) Mathias Krause discovered a memory leak in the Linux kernel's crypto report API. A local user with CAP_NET_ADMIN could exploit this leak to examine some of the kernel's heap memory. (CVE-2013-2547) Mathias Krause discovered information leaks in the Linux kernel's crypto algorithm report API. A local user could exploit these flaws to leak kernel stack and heap memory contents. (CVE-2013-2548). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 65869
    published 2013-04-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65869
    title Ubuntu 12.04 LTS : linux vulnerabilities (USN-1793-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2668.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2012-2121 Benjamin Herrenschmidt and Jason Baron discovered issues with the IOMMU mapping of memory slots used in KVM device assignment. Local users with the ability to assign devices could cause a denial of service due to a memory page leak. - CVE-2012-3552 Hafid Lin reported an issue in the IP networking subsystem. A remote user can cause a denial of service (system crash) on servers running applications that set options on sockets which are actively being processed. - CVE-2012-4461 Jon Howell reported a denial of service issue in the KVM subsystem. On systems that do not support the XSAVE feature, local users with access to the /dev/kvm interface can cause a system crash. - CVE-2012-4508 Dmitry Monakhov and Theodore Ts'o reported a race condition in the ext4 filesystem. Local users could gain access to sensitive kernel memory. - CVE-2012-6537 Mathias Krause discovered information leak issues in the Transformation user configuration interface. Local users with the CAP_NET_ADMIN capability can gain access to sensitive kernel memory. - CVE-2012-6539 Mathias Krause discovered an issue in the networking subsystem. Local users on 64-bit systems can gain access to sensitive kernel memory. - CVE-2012-6540 Mathias Krause discovered an issue in the Linux virtual server subsystem. Local users can gain access to sensitive kernel memory. Note: this issue does not affect Debian provided kernels, but may affect custom kernels built from Debian's linux-source-2.6.32 package. - CVE-2012-6542 Mathias Krause discovered an issue in the LLC protocol support code. Local users can gain access to sensitive kernel memory. - CVE-2012-6544 Mathias Krause discovered issues in the Bluetooth subsystem. Local users can gain access to sensitive kernel memory. - CVE-2012-6545 Mathias Krause discovered issues in the Bluetooth RFCOMM protocol support. Local users can gain access to sensitive kernel memory. - CVE-2012-6546 Mathias Krause discovered issues in the ATM networking support. Local users can gain access to sensitive kernel memory. - CVE-2012-6548 Mathias Krause discovered an issue in the UDF file system support. Local users can obtain access to sensitive kernel memory. - CVE-2012-6549 Mathias Krause discovered an issue in the isofs file system support. Local users can obtain access to sensitive kernel memory. - CVE-2013-0349 Anderson Lizardo discovered an issue in the Bluetooth Human Interface Device Protocol (HIDP) stack. Local users can obtain access to sensitive kernel memory. - CVE-2013-0914 Emese Revfy discovered an issue in the signal implementation. Local users may be able to bypass the address space layout randomization (ASLR) facility due to a leaking of information to child processes. - CVE-2013-1767 Greg Thelen reported an issue in the tmpfs virtual memory filesystem. Local users with sufficient privilege to mount filesystems can cause a denial of service or possibly elevated privileges due to a use-after free defect. - CVE-2013-1773 Alan Stern provided a fix for a defect in the UTF8->UTF16 string conversion facility used by the VFAT filesystem. A local user could cause a buffer overflow condition, resulting in a denial of service or potentially elevated privileges. - CVE-2013-1774 Wolfgang Frisch provided a fix for a NULL pointer dereference defect in the driver for some serial USB devices from Inside Out Networks. Local users with permission to access these devices can create a denial of service (kernel oops) by causing the device to be removed while it is in use. - CVE-2013-1792 Mateusz Guzik of Red Hat EMEA GSS SEG Team discovered a race condition in the access key retention support in the kernel. A local user could cause a denial of service (NULL pointer dereference). - CVE-2013-1796 Andrew Honig of Google reported an issue in the KVM subsystem. A user in a guest operating system could corrupt kernel memory, resulting in a denial of service. - CVE-2013-1798 Andrew Honig of Google reported an issue in the KVM subsystem. A user in a guest operating system could cause a denial of service due to a use after-free defect. - CVE-2013-1826 Mathias Krause discovered an issue in the Transformation (XFRM) user configuration interface of the networking stack. A user with the CAP_NET_ADMIN capability may be able to gain elevated privileges. - CVE-2013-1860 Oliver Neukum discovered an issue in the USB CDC WCM Device Management driver. Local users with the ability to attach devices can cause a denial of service (kernel crash) or potentially gain elevated privileges. - CVE-2013-1928 Kees Cook provided a fix for an information leak in the VIDEO_SET_SPU_PALETTE ioctl for 32-bit applications running on a 64-bit kernel. Local users can gain access to sensitive kernel memory. - CVE-2013-1929 Oded Horovitz and Brad Spengler reported an issue in the device driver for Broadcom Tigon3 based gigabit Ethernet. Users with the ability to attach untrusted devices can create an overflow condition, resulting in a denial of service or elevated privileges. - CVE-2013-2015 Theodore Ts'o provided a fix for an issue in the ext4 filesystem. Local users with the ability to mount a specially crafted filesystem can cause a denial of service (infinite loop). - CVE-2013-2634 Mathias Krause discovered a few issues in the Data Center Bridging (DCB) netlink interface. Local users can gain access to sensitive kernel memory. - CVE-2013-3222 Mathias Krause discovered an issue in the Asynchronous Transfer Mode (ATM) protocol support. Local users can gain access to sensitive kernel memory. - CVE-2013-3223 Mathias Krause discovered an issue in the Amateur Radio AX.25 protocol support. Local users can gain access to sensitive kernel memory. - CVE-2013-3224 Mathias Krause discovered an issue in the Bluetooth subsystem. Local users can gain access to sensitive kernel memory. - CVE-2013-3225 Mathias Krause discovered an issue in the Bluetooth RFCOMM protocol support. Local users can gain access to sensitive kernel memory. - CVE-2013-3228 Mathias Krause discovered an issue in the IrDA (infrared) subsystem support. Local users can gain access to sensitive kernel memory. - CVE-2013-3229 Mathias Krause discovered an issue in the IUCV support on s390 systems. Local users can gain access to sensitive kernel memory. - CVE-2013-3231 Mathias Krause discovered an issue in the ANSI/IEEE 802.2 LLC type 2 protocol support. Local users can gain access to sensitive kernel memory. - CVE-2013-3234 Mathias Krause discovered an issue in the Amateur Radio X.25 PLP (Rose) protocol support. Local users can gain access to sensitive kernel memory. - CVE-2013-3235 Mathias Krause discovered an issue in the Transparent Inter Process Communication (TIPC) protocol support. Local users can gain access to sensitive kernel memory.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 66431
    published 2013-05-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66431
    title Debian DSA-2668-1 : linux-2.6 - privilege escalation/denial of service/information leak
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-0744.NASL
    description From Red Hat Security Advisory 2013:0744 : Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Security : * An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the Intel i915 driver in the Linux kernel handled the allocation of the buffer used for relocation copies. A local user with console access could use this flaw to cause a denial of service or escalate their privileges. (CVE-2013-0913, Important) * A buffer overflow flaw was found in the way UTF-8 characters were converted to UTF-16 in the utf8s_to_utf16s() function of the Linux kernel's FAT file system implementation. A local user able to mount a FAT file system with the 'utf8=1' option could use this flaw to crash the system or, potentially, to escalate their privileges. (CVE-2013-1773, Important) * A flaw was found in the way KVM handled guest time updates when the buffer the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) crossed a page boundary. A privileged guest user could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the host kernel level. (CVE-2013-1796, Important) * A potential use-after-free flaw was found in the way KVM handled guest time updates when the GPA (guest physical address) the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) fell into a movable or removable memory region of the hosting user-space process (by default, QEMU-KVM) on the host. If that memory region is deregistered from KVM using KVM_SET_USER_MEMORY_REGION and the allocated virtual memory reused, a privileged guest user could potentially use this flaw to escalate their privileges on the host. (CVE-2013-1797, Important) * A flaw was found in the way KVM emulated IOAPIC (I/O Advanced Programmable Interrupt Controller). A missing validation check in the ioapic_read_indirect() function could allow a privileged guest user to crash the host, or read a substantial portion of host kernel memory. (CVE-2013-1798, Important) * A race condition in install_user_keyrings(), leading to a NULL pointer dereference, was found in the key management facility. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2013-1792, Moderate) * A NULL pointer dereference in the XFRM implementation could allow a local user who has the CAP_NET_ADMIN capability to cause a denial of service. (CVE-2013-1826, Moderate) * A NULL pointer dereference in the Datagram Congestion Control Protocol (DCCP) implementation could allow a local user to cause a denial of service. (CVE-2013-1827, Moderate) * Information leak flaws in the XFRM implementation could allow a local user who has the CAP_NET_ADMIN capability to leak kernel stack memory to user-space. (CVE-2012-6537, Low) * Two information leak flaws in the Asynchronous Transfer Mode (ATM) subsystem could allow a local, unprivileged user to leak kernel stack memory to user-space. (CVE-2012-6546, Low) * An information leak was found in the TUN/TAP device driver in the networking implementation. A local user with access to a TUN/TAP virtual interface could use this flaw to leak kernel stack memory to user-space. (CVE-2012-6547, Low) * An information leak in the Bluetooth implementation could allow a local user who has the CAP_NET_ADMIN capability to leak kernel stack memory to user-space. (CVE-2013-0349, Low) * A use-after-free flaw was found in the tmpfs implementation. A local user able to mount and unmount a tmpfs file system could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2013-1767, Low) * A NULL pointer dereference was found in the Linux kernel's USB Inside Out Edgeport Serial Driver implementation. An attacker with physical access to a system could use this flaw to cause a denial of service. (CVE-2013-1774, Low) Red Hat would like to thank Andrew Honig of Google for reporting CVE-2013-1796, CVE-2013-1797, and CVE-2013-1798. CVE-2013-1792 was discovered by Mateusz Guzik of Red Hat EMEA GSS SEG Team.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68807
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68807
    title Oracle Linux 6 : kernel (ELSA-2013-0744)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-2523.NASL
    description Description of changes: [2.6.39-400.23.1.el6uek] - Parallel mtrr init between cpus (Zhenzhong Duan) [Orabug: 16777774] - Merge tag 'v2.6.39-400.21.1.16748891' of git://ca-git.us.oracle.com/linux-uek-2.6.39-ofed into uek-2.6.39-400 (Maxim Uvarov) [Orabug: 16748891] - xen-blkfront: use a different scatterlist for each request (Roger Pau Monne) - Fix EN driver to work with newer FWs based on latest mlx4_core (Yuval Shaia) [Orabug: 16748891] [2.6.39-400.22.1.el6uek] - block: default SCSI command filter does not accomodate commands overlap across device classes (Jamie Iles) [Orabug: 16387137] {CVE-2012-4542} - Merge tag 'v2.6.39-400.21.1#bug16684527' of git://ca-git.us.oracle.com/linux-joejin-public into uek-2.6.39-400_errata (Maxim Uvarov) [Orabug: 16684527] - KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797) (Andy Honig) [Orabug: 16711660] {CVE-2013-1797} - Bluetooth: Fix incorrect strncpy() in hidp_setup_hid() (Anderson Lizardo) [Orabug: 16711065] {CVE-2013-0349} - USB: io_ti: Fix NULL dereference in chase_port() (Wolfgang Frisch) [Orabug: 16425358] {CVE-2013-1774} - keys: fix race with concurrent install_user_keyrings() (David Howells) [Orabug: 16493354] {CVE-2013-1792} - KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) (Andy Honig) [Orabug: 16710951] {CVE-2013-1798} - KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) (Andy Honig) [Orabug: 16710806] {CVE-2013-1796} - tmpfs: fix use-after-free of mempolicy object (Greg Thelen) [Orabug: 16515833] {CVE-2013-1767} - procfs: do not confuse jiffies with cputime64_t (Andreas Schwab) [Orabug: 16673925] - procfs: do not overflow get_{idle,iowait}_time for nohz (Michal Hocko) [Orabug: 16673925] - xen/evtchn: Handle VIRQ_TIMER before any other hardirq in event loop. (Keir Fraser) [Orabug: 16093126] - Fix device removal NULL pointer dereference (Joe Jin) [Orabug: 16684527] - put stricter guards on queue dead checks (James Bottomley) [Orabug: 16684527]
    last seen 2019-02-21
    modified 2015-12-01
    plugin id 68853
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68853
    title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2013-2523)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1792-1.NASL
    description Mathias Krause discovered several errors in the Linux kernel's xfrm_user implementation. A local attacker could exploit these flaws to examine parts of kernel memory. (CVE-2012-6537) Mathias Krause discovered information leak in the Linux kernel's compat ioctl interface. A local user could exploit the flaw to examine parts of kernel stack memory (CVE-2012-6539) Mathias Krause discovered an information leak in the Linux kernel's getsockopt for IP_VS_SO_GET_TIMEOUT. A local user could exploit this flaw to examine parts of kernel stack memory. (CVE-2012-6540) Emese Revfy discovered that in the Linux kernel signal handlers could leak address information across an exec, making it possible to by pass ASLR (Address Space Layout Randomization). A local user could use this flaw to by pass ASLR to reliably deliver an exploit payload that would otherwise be stopped (by ASLR). (CVE-2013-0914) A memory use after free error was discover in the Linux kernel's tmpfs filesystem. A local user could exploit this flaw to gain privileges or cause a denial of service (system crash). (CVE-2013-1767) Mateusz Guzik discovered a race in the Linux kernel's keyring. A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-1792). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 65868
    published 2013-04-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65868
    title Ubuntu 10.04 LTS : linux vulnerabilities (USN-1792-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-2534.NASL
    description Description of changes: [2.6.32-400.29.1.el6uek] - KVM: add missing void __user COPYING CREDITS Documentation Kbuild MAINTAINERS Makefile README REPORTING-BUGS arch block crypto drivers firmware fs include init ipc kernel lib mm net samples scripts security sound tools uek-rpm usr virt cast to access_ok() call (Heiko Carstens) [Orabug: 16941620] {CVE-2013-1943} - KVM: Validate userspace_addr of memslot when registered (Takuya Yoshikawa) [Orabug: 16941620] {CVE-2013-1943} [2.6.32-400.28.1.el6uek] - do_add_mount()/umount -l races (Jerry Snitselaar) [Orabug: 16311974] - tg3: fix length overflow in VPD firmware parsing (Kees Cook) [Orabug: 16837019] {CVE-2013-1929} - USB: cdc-wdm: fix buffer overflow (Oliver Neukum) [Orabug: 16837003] {CVE-2013-1860} - bonding: emit event when bonding changes MAC (Weiping Pan) [Orabug: 16579025] - sched: Fix ancient race in do_exit() (Joe Jin) - open debug in page_move_anon_rmap by default. (Xiaowei.Hu) [Orabug: 14046035] - block: default SCSI command filter does not accomodate commands overlap across device classes (Jamie Iles) [Orabug: 16387136] {CVE-2012-4542} - vma_adjust: fix the copying of anon_vma chains (Linus Torvalds) [Orabug: 14046035] - xen-netfront: delay gARP until backend switches to Connected (Laszlo Ersek) [Orabug: 16182568] - svcrpc: don't hold sv_lock over svc_xprt_put() (J. Bruce Fields) [Orabug: 16032824] - mm/hotplug: correctly add new zone to all other nodes' zone lists (Jiang Liu) [Orabug: 16603569] {CVE-2012-5517} - ptrace: ptrace_resume() shouldn't wake up !TASK_TRACED thread (Oleg Nesterov) [Orabug: 16405868] {CVE-2013-0871} - ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL (Oleg Nesterov) [Orabug: 16405868] {CVE-2013-0871} - ptrace: introduce signal_wake_up_state() and ptrace_signal_wake_up() (Oleg Nesterov) [Orabug: 16405868] {CVE-2013-0871} - Bluetooth: Fix incorrect strncpy() in hidp_setup_hid() (Anderson Lizardo) [Orabug: 16711062] {CVE-2013-0349} - dccp: check ccid before dereferencing (Mathias Krause) [Orabug: 16711040] {CVE-2013-1827} - USB: io_ti: Fix NULL dereference in chase_port() (Wolfgang Frisch) [Orabug: 16425435] {CVE-2013-1774} - keys: fix race with concurrent install_user_keyrings() (David Howells) [Orabug: 16493369] {CVE-2013-1792} - KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) (Andy Honig) [Orabug: 16710937] {CVE-2013-1798} - KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) (Jerry Snitselaar) [Orabug: 16710794] {CVE-2013-1796} [2.6.32-400.27.1.el6uek] - net/tun: fix ioctl() based info leaks (Mathias Krause) [Orabug: 16675501] {CVE-2012-6547} - atm: fix info leak via getsockname() (Mathias Krause) [Orabug: 16675501] {CVE-2012-6546} - atm: fix info leak in getsockopt(SO_ATMPVC) (Mathias Krause) [Orabug: 16675501] {CVE-2012-6546} - xfrm_user: fix info leak in copy_to_user_tmpl() (Mathias Krause) [Orabug: 16675501] {CVE-2012-6537} - xfrm_user: fix info leak in copy_to_user_policy() (Mathias Krause) [Orabug: 16675501] {CVE-2012-6537} - xfrm_user: fix info leak in copy_to_user_state() (Mathias Krause) [Orabug: 16675501] {CVE-2013-6537} - xfrm_user: return error pointer instead of NULL #2 (Mathias Krause) [Orabug: 16675501] {CVE-2013-1826} - xfrm_user: return error pointer instead of NULL (Mathias Krause) [Orabug: 16675501] {CVE-2013-1826} - llc: fix info leak via getsockname() (Mathias Krause) [Orabug: 16675501] {CVE-2012-6542} - x86/mm: Check if PUD is large when validating a kernel address (Mel Gorman) [Orabug: 14251997]
    last seen 2019-02-21
    modified 2016-05-20
    plugin id 68856
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68856
    title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2013-2534)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-2519.NASL
    description Description of changes: [2.6.39-400.21.2.el6uek] - KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797) (Andy Honig) [Orabug: 16711660] {CVE-2013-1797} - Bluetooth: Fix incorrect strncpy() in hidp_setup_hid() (Anderson Lizardo) [Orabug: 16711065] {CVE-2013-0349} - USB: io_ti: Fix NULL dereference in chase_port() (Wolfgang Frisch) [Orabug: 16425358] {CVE-2013-1774} - keys: fix race with concurrent install_user_keyrings() (David Howells) [Orabug: 16493354] {CVE-2013-1792} - KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) (Andy Honig) [Orabug: 16710951] {CVE-2013-1798} - KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) (Andy Honig) [Orabug: 16710806] {CVE-2013-1796} - tmpfs: fix use-after-free of mempolicy object (Greg Thelen) [Orabug: 16515833] {CVE-2013-1767}
    last seen 2019-02-21
    modified 2015-12-01
    plugin id 68851
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68851
    title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2013-2519)
redhat via4
advisories
rhsa
id RHSA-2013:0744
rpms
  • kernel-0:2.6.32-358.6.1.el6
  • kernel-bootwrapper-0:2.6.32-358.6.1.el6
  • kernel-debug-0:2.6.32-358.6.1.el6
  • kernel-debug-devel-0:2.6.32-358.6.1.el6
  • kernel-devel-0:2.6.32-358.6.1.el6
  • kernel-doc-0:2.6.32-358.6.1.el6
  • kernel-firmware-0:2.6.32-358.6.1.el6
  • kernel-headers-0:2.6.32-358.6.1.el6
  • kernel-kdump-0:2.6.32-358.6.1.el6
  • kernel-kdump-devel-0:2.6.32-358.6.1.el6
  • perf-0:2.6.32-358.6.1.el6
  • python-perf-0:2.6.32-358.6.1.el6
refmap via4
confirm
mandriva MDVSA-2013:176
mlist [oss-security] 20130307 CVE-2013-1792 Linux kernel: KEYS: race with concurrent install_user_keyrings()
suse
  • openSUSE-SU-2013:1187
  • openSUSE-SU-2014:0204
ubuntu
  • USN-1787-1
  • USN-1788-1
  • USN-1792-1
  • USN-1793-1
  • USN-1794-1
  • USN-1795-1
  • USN-1796-1
  • USN-1797-1
  • USN-1798-1
Last major update 05-03-2014 - 23:44
Published 22-03-2013 - 07:59
Back to Top