ID CVE-2014-1446
Summary The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call.
References
Vulnerable Configurations
  • Linux Kernel 3.12
    cpe:2.3:o:linux:linux_kernel:3.12
  • Linux Kernel 3.12.1
    cpe:2.3:o:linux:linux_kernel:3.12.1
  • Linux Kernel 3.12.2
    cpe:2.3:o:linux:linux_kernel:3.12.2
  • Linux Kernel 3.12.3
    cpe:2.3:o:linux:linux_kernel:3.12.3
  • Linux Kernel 3.12.4
    cpe:2.3:o:linux:linux_kernel:3.12.4
  • Linux Kernel 3.12.5
    cpe:2.3:o:linux:linux_kernel:3.12.5
  • Linux Kernel 3.12.7
    cpe:2.3:o:linux:linux_kernel:3.12.7
  • Linux Kernel 3.12.6
    cpe:2.3:o:linux:linux_kernel:3.12.6
CVSS
Base: 1.9 (as of 21-01-2014 - 16:05)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_KERNEL-140709.NASL
    description The SUSE Linux Enterprise 11 Service Pack 3 kernel has been updated to fix various bugs and security issues. The following security bugs have been fixed : - The rds_ib_xmit function in net/rds/ib_send.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel 3.7.4 and earlier allows local users to cause a denial of service (BUG_ON and kernel panic) by establishing an RDS connection with the source IP address equal to the IPoIB interfaces own IP address, as demonstrated by rds-ping. (bnc#767610). (CVE-2012-2372) - The Linux kernel before 3.12.2 does not properly use the get_dumpable function, which allows local users to bypass intended ptrace restrictions or obtain sensitive information from IA64 scratch registers via a crafted application, related to kernel/ptrace.c and arch/ia64/include/asm/processor.h. (bnc#847652). (CVE-2013-2929) - Interpretation conflict in drivers/md/dm-snap-persistent.c in the Linux kernel through 3.11.6 allows remote authenticated users to obtain sensitive information or modify data via a crafted mapping to a snapshot block device. (bnc#846404). (CVE-2013-4299) - The ath9k_htc_set_bssid_mask function in drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC addresses on which a Wi-Fi device is listening, which allows remote attackers to discover the original MAC address after spoofing by sending a series of packets to MAC addresses with certain bit manipulations. (bnc#851426). (CVE-2013-4579) - Multiple buffer underflows in the XFS implementation in the Linux kernel through 3.12.1 allow local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value, related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c. (bnc#852553). (CVE-2013-6382) - The rds_ib_laddr_check function in net/rds/ib.c in the Linux kernel before 3.12.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports. (bnc#869563). (CVE-2013-7339) - The get_rx_bufs function in drivers/vhost/net.c in the vhost-net subsystem in the Linux kernel package before 2.6.32-431.11.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly handle vhost_get_vq_desc errors, which allows guest OS users to cause a denial of service (host OS crash) via unspecified vectors. (bnc#870173). (CVE-2014-0055) - drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions. (bnc#870576). (CVE-2014-0077) - The sctp_sf_do_5_1D_ce function in net/sctp/sm_statefuns.c in the Linux kernel through 3.13.6 does not validate certain auth_enable and auth_capable fields before making an sctp_sf_authenticate call, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an SCTP handshake with a modified INIT chunk and a crafted AUTH chunk before a COOKIE_ECHO chunk. (bnc#866102). (CVE-2014-0101) - Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation. (bnc#867723). (CVE-2014-0131) - The ioapic_deliver function in virt/kvm/ioapic.c in the Linux kernel through 3.14.1 does not properly validate the kvm_irq_delivery_to_apic return value, which allows guest OS users to cause a denial of service (host OS crash) via a crafted entry in the redirection table of an I/O APIC. NOTE: the affected code was moved to the ioapic_service function before the vulnerability was announced. (bnc#872540). (CVE-2014-0155) - The fst_get_iface function in drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call. (bnc#858869). (CVE-2014-1444) - The wanxl_ioctl function in drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an ioctl call. (bnc#858870). (CVE-2014-1445) - The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call. (bnc#858872). (CVE-2014-1446) - The security_context_to_sid_core function in security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows local users to cause a denial of service (system crash) by leveraging the CAP_MAC_ADMIN capability to set a zero-length security context. (bnc#863335). (CVE-2014-1874) - The ip6_route_add function in net/ipv6/route.c in the Linux kernel through 3.13.6 does not properly count the addition of routes, which allows remote attackers to cause a denial of service (memory consumption) via a flood of ICMPv6 Router Advertisement packets. (bnc#867531). (CVE-2014-2309) - net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function. (bnc#868653). (CVE-2014-2523) - The rds_iw_laddr_check function in net/rds/iw.c in the Linux kernel through 3.14 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports. (bnc#871561). (CVE-2014-2678) - Integer overflow in the ping_init_sock function in net/ipv4/ping.c in the Linux kernel through 3.14.1 allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that leverages an improperly managed reference counter. (bnc#873374). (CVE-2014-2851) - The try_to_unmap_cluster function in mm/rmap.c in the Linux kernel before 3.14.3 does not properly consider which pages must be locked, which allows local users to cause a denial of service (system crash) by triggering a memory-usage pattern that requires removal of page-table mappings. (bnc#876102). (CVE-2014-3122) - The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension implementations in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 do not check whether a certain length value is sufficiently large, which allows local users to cause a denial of service (integer underflow and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr and __skb_get_nlattr_nest functions before the vulnerability was announced. (bnc#877257). (CVE-2014-3144) - The BPF_S_ANC_NLATTR_NEST extension implementation in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 uses the reverse order in a certain subtraction, which allows local users to cause a denial of service (over-read and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr_nest function before the vulnerability was announced. (bnc#877257). (CVE-2014-3145) - kernel/auditsc.c in the Linux kernel through 3.14.5, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allows local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS) via a large value of a syscall number. (bnc#880484). (CVE-2014-3917) - arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number. (CVE-2014-4508) -. (bnc#883724) - Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allows local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. (bnc#883795). (CVE-2014-4652) - sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not ensure possession of a read/write lock, which allows local users to cause a denial of service (use-after-free) and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. (bnc#883795). (CVE-2014-4653) - The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allows local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by leveraging /dev/snd/controlCX access for an ioctl call. (bnc#883795). (CVE-2014-4654) - The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not properly maintain the user_ctl_count value, which allows local users to cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls. (bnc#883795). (CVE-2014-4655) - Multiple integer overflows in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allow local users to cause a denial of service by leveraging /dev/snd/controlCX access, related to (1) index values in the snd_ctl_add function and (2) numid values in the snd_ctl_remove_numid_conflict function. (bnc#883795). (CVE-2014-4656) - The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls. (bnc#885725). (CVE-2014-4699) Also the following non-security bugs have been fixed : - kernel: avoid page table walk on user space access (bnc#878407, LTC#110316). - spinlock: fix system hang with spin_retry <= 0 (bnc#874145, LTC#110189). - x86/UV: Set n_lshift based on GAM_GR_CONFIG MMR for UV3. (bnc#876176) - x86: Enable multiple CPUs in crash kernel. (bnc#846690) - x86/mce: Fix CMCI preemption bugs. (bnc#786450) - x86, CMCI: Add proper detection of end of CMCI storms. (bnc#786450) - futex: revert back to the explicit waiter counting code. (bnc#851603) - futex: avoid race between requeue and wake. (bnc#851603) - intel-iommu: fix off-by-one in pagetable freeing. (bnc#874577) - ia64: Change default PSR.ac from '1' to '0' (Fix erratum #237). (bnc#874108) - drivers/rtc/interface.c: fix infinite loop in initializing the alarm. (bnc#871676) - drm/ast: Fix double lock at PM resume. (bnc#883380) - drm/ast: add widescreen + rb modes from X.org driver (v2). (bnc#883380) - drm/ast: deal with bo reserve fail in dirty update path. (bnc#883380) - drm/ast: do not attempt to acquire a reservation while in an interrupt handler. (bnc#883380) - drm/ast: fix the ast open key function. (bnc#883380) - drm/ast: fix value check in cbr_scan2. (bnc#883380) - drm/ast: inline reservations. (bnc#883380) - drm/ast: invalidate page tables when pinning a BO. (bnc#883380) - drm/ast: rename the mindwm/moutdwm and deinline them. (bnc#883380) - drm/ast: resync the dram post code with upstream. (bnc#883380) - drm: ast: use drm_can_sleep. (bnc#883380) - drm/ast: use drm_modeset_lock_all. (bnc#883380) - drm/: Unified handling of unimplemented fb->create_handle. (bnc#883380) - drm/mgag200,ast,cirrus: fix regression with drm_can_sleep conversion. (bnc#883380) - drm/mgag200: Consolidate depth/bpp handling. (bnc#882324) - drm/ast: Initialized data needed to map fbdev memory. (bnc#880007) - drm/ast: add AST 2400 support. (bnc#880007) - drm/ast: Initialized data needed to map fbdev memory. (bnc#880007) - drm/mgag200: on cards with < 2MB VRAM default to 16-bit. (bnc#882324) - drm/mgag200: fix typo causing bw limits to be ignored on some chips. (bnc#882324) - drm/ttm: do not oops if no invalidate_caches(). (bnc#869414) - drm/i915: Break encoder->crtc link separately in intel_sanitize_crtc(). (bnc#855126) - dlm: keep listening connection alive with sctp mode. (bnc#881939) - series.conf: Clarify comment about Xen kabi adjustments (bnc#876114#c25) - btrfs: fix a crash when running balance and defrag concurrently. - btrfs: unset DCACHE_DISCONNECTED when mounting default subvol. (bnc#866615) - btrfs: free delayed node outside of root->inode_lock. (bnc#866864) - btrfs: return EPERM when deleting a default subvolume. (bnc#869934) - btrfs: do not loop on large offsets in readdir. (bnc#863300) - sched: Consider pi boosting in setscheduler. - sched: Queue RT tasks to head when prio drops. - sched: Adjust sched_reset_on_fork when nothing else changes. - sched: Fix clock_gettime(CLOCK__CPUTIME_ID) monotonicity. (bnc#880357) - sched: Do not allow scheduler time to go backwards. (bnc#880357) - sched: Make scale_rt_power() deal with backward clocks. (bnc#865310) - sched: Use CPUPRI_NR_PRIORITIES instead of MAX_RT_PRIO in cpupri check. (bnc#871861) - sched: update_rq_clock() must skip ONE update. (bnc#869033, bnc#868528) - tcp: allow to disable cwnd moderation in TCP_CA_Loss state. (bnc#879921) - tcp: clear xmit timers in tcp_v4_syn_recv_sock(). (bnc#862429) - net: add missing bh_unlock_sock() calls. (bnc#862429) - bonding: fix vlan_features computing. (bnc#872634) - vlan: more careful checksum features handling. (bnc#872634) - xfrm: fix race between netns cleanup and state expire notification. (bnc#879957) - xfrm: check peer pointer for null before calling inet_putpeer(). (bnc#877775) - ipv6: do not overwrite inetpeer metrics prematurely. (bnc#867362) - pagecachelimit: reduce lru_lock contention for heavy parallel kabi fixup:. (bnc#878509, bnc#864464) - pagecachelimit: reduce lru_lock contention for heavy parallel reclaim. (bnc#878509, bnc#864464) - TTY: serial, cleanup include file. (bnc#881571) - TTY: serial, fix includes in some drivers. (bnc#881571) - serial_core: Fix race in uart_handle_dcd_change. (bnc#881571) - powerpc/perf: Power8 PMU support. (bnc#832710) - powerpc/perf: Add support for SIER. (bnc#832710) - powerpc/perf: Add regs_no_sipr(). (bnc#832710) - powerpc/perf: Add an accessor for regs->result. (bnc#832710) - powerpc/perf: Convert mmcra_sipr/sihv() to regs_sipr/sihv(). (bnc#832710) - powerpc/perf: Add an explict flag indicating presence of SLOT field. (bnc#832710) - swiotlb: do not assume PA 0 is invalid. (bnc#865882) - lockref: implement lockless reference count updates using cmpxchg() (FATE#317271). - af_iucv: wrong mapping of sent and confirmed skbs (bnc#878407, LTC#110452). - af_iucv: recvmsg problem for SOCK_STREAM sockets (bnc#878407, LTC#110452). - af_iucv: fix recvmsg by replacing skb_pull() function (bnc#878407, LTC#110452). - qla2xxx: Poll during initialization for ISP25xx and ISP83xx. (bnc#837563) - qla2xxx: Fix request queue null dereference. (bnc#859840) - lpfc 8.3.41: Fixed SLI3 failing FCP write on check-condition no-sense with residual zero. (bnc#850915) - reiserfs: call truncate_setsize under tailpack mutex. (bnc#878115) - reiserfs: drop vmtruncate. (bnc#878115) - ipvs: handle IPv6 fragments with one-packet scheduling. (bnc#861980) - kabi: hide modifications of struct sk_buff done by bnc#861980 fix. (bnc#861980) - loop: remove the incorrect write_begin/write_end shortcut. (bnc#878123) - watchdog: hpwdt patch to display informative string. (bnc#862934) - watchdog: hpwdt: Patch to ignore auxilary iLO devices. (bnc#862934) - watchdog: hpwdt: Add check for UEFI bits. (bnc#862934) - watchdog: hpwdt.c: Increase version string. (bnc#862934) - hpilo: Correct panic when an AUX iLO is detected. (bnc#837563) - locking/mutexes: Introduce cancelable MCS lock for adaptive spinning (FATE#317271). - locking/mutexes: Modify the way optimistic spinners are queued (FATE#317271). - locking/mutexes: Return false if task need_resched() in mutex_can_spin_on_owner() (FATE#317271). - mutex: Enable the queuing of mutex spinners with MCS lock (FATE#317271). config: disabled on all flavors - mutex: Queue mutex spinners with MCS lock to reduce cacheline contention (FATE#317271). - memcg: deprecate memory.force_empty knob. (bnc#878274) - kabi: protect struct net from bnc#877013 changes. (bnc#877013) - netfilter: nfnetlink_queue: add net namespace support for nfnetlink_queue. (bnc#877013) - netfilter: make /proc/net/netfilter pernet. (bnc#877013) - netfilter: xt_hashlimit: fix proc entry leak in netns destroy path. (bnc#871634) - netfilter: xt_hashlimit: fix namespace destroy path. (bnc#871634) - netfilter: nf_queue: reject NF_STOLEN verdicts from userspace. (bnc#870877) - netfilter: avoid double free in nf_reinject. (bnc#870877) - netfilter: ctnetlink: fix race between delete and timeout expiration. (bnc#863410) - netfilter: reuse skb->nfct_reasm for ipvs conn reference. (bnc#861980) - mm: per-thread vma caching (FATE#317271). config: enable CONFIG_VMA_CACHE for x86_64/bigsmp - mm, hugetlb: improve page-fault scalability (FATE#317271). - mm: vmscan: Do not throttle based on pfmemalloc reserves if node has no ZONE_NORMAL. (bnc#870496) - mm: fix off-by-one bug in print_nodes_state(). (bnc#792271) - hugetlb: ensure hugepage access is denied if hugepages are not supported (PowerKVM crash when mounting hugetlbfs without hugepage support (bnc#870498)). - SELinux: Increase ebitmap_node size for 64-bit configuration (FATE#317271). - SELinux: Reduce overhead of mls_level_isvalid() function call (FATE#317271). - mutex: Fix debug_mutexes (FATE#317271). - mutex: Fix debug checks (FATE#317271). - locking/mutexes: Unlock the mutex without the wait_lock (FATE#317271). - epoll: do not take the nested ep->mtx on EPOLL_CTL_DEL (FATE#317271). - epoll: do not take global 'epmutex' for simple topologies (FATE#317271). - epoll: optimize EPOLL_CTL_DEL using rcu (FATE#317271). - vfs: Fix missing unlock of vfsmount_lock in unlazy_walk. (bnc#880437) - dcache: kABI fixes for lockref dentries (FATE#317271). - vfs: make sure we do not have a stale root path if unlazy_walk() fails (FATE#317271). - vfs: fix dentry RCU to refcounting possibly sleeping dput() (FATE#317271). - vfs: use lockref 'dead' flag to mark unrecoverably dead dentries (FATE#317271). - vfs: reimplement d_rcu_to_refcount() using lockref_get_or_lock() (FATE#317271). - vfs: Remove second variable named error in __dentry_path (FATE#317271). - make prepend_name() work correctly when called with negative *buflen (FATE#317271). - prepend_path() needs to reinitialize dentry/vfsmount on restarts (FATE#317271). - dcache: get/release read lock in read_seqbegin_or_lock() & friend (FATE#317271). - seqlock: Add a new locking reader type (FATE#317271). - dcache: Translating dentry into pathname without taking rename_lock (FATE#317271). - vfs: make the dentry cache use the lockref infrastructure (FATE#317271). - vfs: Remove dentry->d_lock locking from shrink_dcache_for_umount_subtree() (FATE#317271). - vfs: use lockref_get_not_zero() for optimistic lockless dget_parent() (FATE#317271). - vfs: constify dentry parameter in d_count() (FATE#317271). - helper for reading ->d_count (FATE#317271). - lockref: use arch_mutex_cpu_relax() in CMPXCHG_LOOP() (FATE#317271). - lockref: allow relaxed cmpxchg64 variant for lockless updates (FATE#317271). - lockref: use cmpxchg64 explicitly for lockless updates (FATE#317271). - lockref: add ability to mark lockrefs 'dead' (FATE#317271). - lockref: fix docbook argument names (FATE#317271). - lockref: Relax in cmpxchg loop (FATE#317271). - lockref: implement lockless reference count updates using cmpxchg() (FATE#317271). - lockref: uninline lockref helper functions (FATE#317271). - lockref: add lockref_get_or_lock() helper (FATE#317271). - Add new lockref infrastructure reference implementation (FATE#317271). - vfs: make lremovexattr retry once on ESTALE error. (bnc#876463) - vfs: make removexattr retry once on ESTALE. (bnc#876463) - vfs: make llistxattr retry once on ESTALE error. (bnc#876463) - vfs: make listxattr retry once on ESTALE error. (bnc#876463) - vfs: make lgetxattr retry once on ESTALE. (bnc#876463) - vfs: make getxattr retry once on an ESTALE error. (bnc#876463) - vfs: allow lsetxattr() to retry once on ESTALE errors. (bnc#876463) - vfs: allow setxattr to retry once on ESTALE errors. (bnc#876463) - vfs: allow utimensat() calls to retry once on an ESTALE error. (bnc#876463) - vfs: fix user_statfs to retry once on ESTALE errors. (bnc#876463) - vfs: make fchownat retry once on ESTALE errors. (bnc#876463) - vfs: make fchmodat retry once on ESTALE errors. (bnc#876463) - vfs: have chroot retry once on ESTALE error. (bnc#876463) - vfs: have chdir retry lookup and call once on ESTALE error. (bnc#876463) - vfs: have faccessat retry once on an ESTALE error. (bnc#876463) - vfs: have do_sys_truncate retry once on an ESTALE error. (bnc#876463) - vfs: fix renameat to retry on ESTALE errors. (bnc#876463) - vfs: make do_unlinkat retry once on ESTALE errors. (bnc#876463) - vfs: make do_rmdir retry once on ESTALE errors. (bnc#876463) - vfs: fix linkat to retry once on ESTALE errors. (bnc#876463) - vfs: fix symlinkat to retry on ESTALE errors. (bnc#876463) - vfs: fix mkdirat to retry once on an ESTALE error. (bnc#876463) - vfs: fix mknodat to retry on ESTALE errors. (bnc#876463) - vfs: add a flags argument to user_path_parent. (bnc#876463) - vfs: fix readlinkat to retry on ESTALE. (bnc#876463) - vfs: make fstatat retry on ESTALE errors from getattr call. (bnc#876463) - vfs: add a retry_estale helper function to handle retries on ESTALE. (bnc#876463) - crypto: s390 - fix aes,des ctr mode concurrency finding (bnc#874145, LTC#110078). - s390/cio: fix unlocked access of global bitmap (bnc#874145, LTC#109378). - s390/css: stop stsch loop after cc 3 (bnc#874145, LTC#109378). - s390/pci: add kmsg man page (bnc#874145, LTC#109224). - s390/pci/dma: use correct segment boundary size (bnc#866081, LTC#104566). - cio: Fix missing subchannels after CHPID configure on (bnc#866081, LTC#104808). - cio: Fix process hangs during subchannel scan (bnc#866081, LTC#104805). - cio: fix unusable device (bnc#866081, LTC#104168). - qeth: postpone freeing of qdio memory (bnc#874145, LTC#107873). - Fix race between starved list and device removal. (bnc#861636) - namei.h: include errno.h. (bnc#876463) - ALSA: hda - Implement bind mixer ctls for Conexant. (bnc#872188) - ALSA: hda - Fix invalid Auto-Mute Mode enum from cxt codecs. (bnc#872188) - ALSA: hda - Fix conflicting Capture Source on cxt codecs. (bnc#872188) - ALSA: usb-audio: Fix NULL dereference while quick replugging. (bnc#870335) - powerpc: Bring all threads online prior to migration/hibernation. (bnc#870591) - powerpc/pseries: Update dynamic cache nodes for suspend/resume operation. (bnc#873463) - powerpc/pseries: Device tree should only be updated once after suspend/migrate. (bnc#873463) - powerpc/pseries: Expose in kernel device tree update to drmgr. (bnc#873463) - powerpc: Add second POWER8 PVR entry. (bnc#874440) - libata/ahci: accommodate tag ordered controllers. (bnc#871728) - md: try to remove cause of a spinning md thread. (bnc#875386) - md: fix up plugging (again). (bnc#866800) - NFSv4: Fix a reboot recovery race when opening a file. (bnc#864404) - NFSv4: Ensure delegation recall and byte range lock removal do not conflict. (bnc#864404) - NFSv4: Fix up the return values of nfs4_open_delegation_recall. (bnc#864404) - NFSv4.1: Do not lose locks when a server reboots during delegation return. (bnc#864404) - NFSv4.1: Prevent deadlocks between state recovery and file locking. (bnc#864404) - NFSv4: Allow the state manager to mark an open_owner as being recovered. (bnc#864404) - NFS: nfs_inode_return_delegation() should always flush dirty data. (bnc#864404) - NFSv4: nfs_client_return_marked_delegations cannot flush data. (bnc#864404) - NFS: avoid excessive GETATTR request when attributes expired but cached directory is valid. (bnc#857926) - seqlock: add 'raw_seqcount_begin()' function. (bnc#864404) - Allow nfsdv4 to work when fips=1. (bnc#868488) - NFSv4: Add ACCESS operation to OPEN compound. (bnc#870958) - NFSv4: Fix unnecessary delegation returns in nfs4_do_open. (bnc#870958) - NFSv4: The NFSv4.0 client must send RENEW calls if it holds a delegation. (bnc#863873) - NFSv4: nfs4_proc_renew should be declared static. (bnc#863873) - NFSv4: do not put ACCESS in OPEN compound if O_EXCL. (bnc#870958) - NFS: revalidate on open if dcache is negative. (bnc#876463) - NFSD add module parameter to disable delegations. (bnc#876463) - Do not lose sockets when nfsd shutdown races with connection timeout. (bnc#871854) - timer: Prevent overflow in apply_slack. (bnc#873061) - mei: me: do not load the driver if the FW does not support MEI interface. (bnc#821619) - ipmi: Reset the KCS timeout when starting error recovery. (bnc#870618) - ipmi: Fix a race restarting the timer. (bnc#870618) - ipmi: increase KCS timeouts. (bnc#870618) - bnx2x: Fix kernel crash and data miscompare after EEH recovery. (bnc#881761) - bnx2x: Adapter not recovery from EEH error injection. (bnc#881761) - kabi: hide modifications of struct inet_peer done by bnc#867953 fix. (bnc#867953) - inetpeer: prevent unlinking from unused list twice. (bnc#867953) - Ignore selected taints for tracepoint modules (bnc#870450, FATE#317134). - Use 'E' instead of 'X' for unsigned module taint flag (bnc#870450,FATE#317134). - Fix: module signature vs tracepoints: add new TAINT_UNSIGNED_MODULE (bnc#870450,FATE#317134). - xhci: extend quirk for Renesas cards. (bnc#877497) - scsi: return target failure on EMC inactive snapshot. (bnc#840524) - virtio_balloon: do not softlockup on huge balloon changes. (bnc#871899) - ch: add refcounting. (bnc#867517) - storvsc: NULL pointer dereference fix. (bnc#865330) - Unlock the rename_lock in dentry_path() in the case when path is too long. (bnc#868748)
    last seen 2019-02-21
    modified 2014-09-05
    plugin id 76557
    published 2014-07-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76557
    title SuSE 11.3 Security Update : Linux kernel (SAT Patch Numbers 9488 / 9491 / 9493)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2014-0287-1.NASL
    description This is a SUSE Linux Enterprise Server 11 SP1 LTSS roll up update to fix a lot of security issues and non-security bugs. The following security bugs have been fixed : CVE-2011-3593: A certain Red Hat patch to the vlan_hwaccel_do_receive function in net/8021q/vlan_core.c in the Linux kernel 2.6.32 on Red Hat Enterprise Linux (RHEL) 6 allows remote attackers to cause a denial of service (system crash) via priority-tagged VLAN frames. (bnc#735347) CVE-2012-1601: The KVM implementation in the Linux kernel before 3.3.6 allows host OS users to cause a denial of service (NULL pointer dereference and host OS crash) by making a KVM_CREATE_IRQCHIP ioctl call after a virtual CPU already exists. (bnc#754898) CVE-2012-2137: Buffer overflow in virt/kvm/irq_comm.c in the KVM subsystem in the Linux kernel before 3.2.24 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to Message Signaled Interrupts (MSI), irq routing entries, and an incorrect check by the setup_routing_entry function before invoking the kvm_set_irq function. (bnc#767612) CVE-2012-2372: The rds_ib_xmit function in net/rds/ib_send.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel 3.7.4 and earlier allows local users to cause a denial of service (BUG_ON and kernel panic) by establishing an RDS connection with the source IP address equal to the IPoIB interfaces own IP address, as demonstrated by rds-ping. (bnc#767610) CVE-2012-2745: The copy_creds function in kernel/cred.c in the Linux kernel before 3.3.2 provides an invalid replacement session keyring to a child process, which allows local users to cause a denial of service (panic) via a crafted application that uses the fork system call. (bnc#770695) CVE-2012-3375: The epoll_ctl system call in fs/eventpoll.c in the Linux kernel before 3.2.24 does not properly handle ELOOP errors in EPOLL_CTL_ADD operations, which allows local users to cause a denial of service (file-descriptor consumption and system crash) via a crafted application that attempts to create a circular epoll dependency. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1083. (bnc#769896) CVE-2012-3412: The sfc (aka Solarflare Solarstorm) driver in the Linux kernel before 3.2.30 allows remote attackers to cause a denial of service (DMA descriptor consumption and network-controller outage) via crafted TCP packets that trigger a small MSS value. (bnc#774523) CVE-2012-3430: The rds_recvmsg function in net/rds/recv.c in the Linux kernel before 3.0.44 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a (1) recvfrom or (2) recvmsg system call on an RDS socket. (bnc#773383) CVE-2012-3511: Multiple race conditions in the madvise_remove function in mm/madvise.c in the Linux kernel before 3.4.5 allow local users to cause a denial of service (use-after-free and system crash) via vectors involving a (1) munmap or (2) close system call. (bnc#776885) CVE-2012-4444: The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel before 2.6.36 allows remote attackers to bypass intended network restrictions via overlapping IPv6 fragments. (bnc#789831) CVE-2012-4530: The load_script function in fs/binfmt_script.c in the Linux kernel before 3.7.2 does not properly handle recursion, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#786013) CVE-2012-4565: The tcp_illinois_info function in net/ipv4/tcp_illinois.c in the Linux kernel before 3.4.19, when the net.ipv4.tcp_congestion_control illinois setting is enabled, allows local users to cause a denial of service (divide-by-zero error and OOPS) by reading TCP stats. (bnc#787576) CVE-2012-6537: net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability. (bnc#809889) CVE-2012-6538: The copy_to_user_auth function in net/xfrm/xfrm_user.c in the Linux kernel before 3.6 uses an incorrect C library function for copying a string, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability. (bnc#809889) CVE-2012-6539: The dev_ifconf function in net/socket.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809891) CVE-2012-6540: The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 3.6 does not initialize a certain structure for IP_VS_SO_GET_TIMEOUT commands, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809892) CVE-2012-6541: The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809893) CVE-2012-6542: The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel before 3.6 has an incorrect return value in certain circumstances, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that leverages an uninitialized pointer argument. (bnc#809894) CVE-2012-6544: The Bluetooth protocol stack in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation. (bnc#809898) CVE-2012-6545: The Bluetooth RFCOMM implementation in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application. (bnc#809899) CVE-2012-6546: The ATM implementation in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809900) CVE-2012-6547: The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809901) CVE-2012-6548: The udf_encode_fh function in fs/udf/namei.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. (bnc#809902) CVE-2012-6549: The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. (bnc#809903) CVE-2013-0160: The Linux kernel through 3.7.9 allows local users to obtain sensitive information about keystroke timing by using the inotify API on the /dev/ptmx device. (bnc#797175) CVE-2013-0216: The Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (loop) by triggering ring pointer corruption. (bnc#800280)(XSA-39) CVE-2013-0231: The pciback_enable_msi function in the PCI backend driver (drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux kernel 2.6.18 and 3.8 allows guest OS users with PCI device access to cause a denial of service via a large number of kernel log messages. NOTE: some of these details are obtained from third-party information. (bnc#801178)(XSA-43) CVE-2013-0268: The msr_open function in arch/x86/kernel/msr.c in the Linux kernel before 3.7.6 allows local users to bypass intended capability restrictions by executing a crafted application as root, as demonstrated by msr32.c. (bnc#802642) CVE-2013-0310: The cipso_v4_validate function in net/ipv4/cipso_ipv4.c in the Linux kernel before 3.4.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an IPOPT_CIPSO IP_OPTIONS setsockopt system call. (bnc#804653) CVE-2013-0343: The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.8 does not properly handle problems with the generation of IPv6 temporary addresses, which allows remote attackers to cause a denial of service (excessive retries and address-generation outage), and consequently obtain sensitive information, via ICMPv6 Router Advertisement (RA) messages. (bnc#805226) CVE-2013-0349: The hidp_setup_hid function in net/bluetooth/hidp/core.c in the Linux kernel before 3.7.6 does not properly copy a certain name field, which allows local users to obtain sensitive information from kernel memory by setting a long name and making an HIDPCONNADD ioctl call. (bnc#805227) CVE-2013-0871: Race condition in the ptrace functionality in the Linux kernel before 3.7.5 allows local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by ptrace_death. (bnc#804154) CVE-2013-0914: The flush_signal_handlers function in kernel/signal.c in the Linux kernel before 3.8.4 preserves the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call. (bnc#808827) CVE-2013-1767: Use-after-free vulnerability in the shmem_remount_fs function in mm/shmem.c in the Linux kernel before 3.7.10 allows local users to gain privileges or cause a denial of service (system crash) by remounting a tmpfs filesystem without specifying a required mpol (aka mempolicy) mount option. (bnc#806138) CVE-2013-1773: Buffer overflow in the VFAT filesystem implementation in the Linux kernel before 3.3 allows local users to gain privileges or cause a denial of service (system crash) via a VFAT write operation on a filesystem with the utf8 mount option, which is not properly handled during UTF-8 to UTF-16 conversion. (bnc#806977) CVE-2013-1774: The chase_port function in drivers/usb/serial/io_ti.c in the Linux kernel before 3.7.4 allows local users to cause a denial of service (NULL pointer dereference and system crash) via an attempted /dev/ttyUSB read or write operation on a disconnected Edgeport USB serial converter. (bnc#806976) CVE-2013-1792: Race condition in the install_user_keyrings function in security/keys/process_keys.c in the Linux kernel before 3.8.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) via crafted keyctl system calls that trigger keyring operations in simultaneous threads. (bnc#808358) CVE-2013-1796: The kvm_set_msr_common function in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 does not ensure a required time_page alignment during an MSR_KVM_SYSTEM_TIME operation, which allows guest OS users to cause a denial of service (buffer overflow and host OS memory corruption) or possibly have unspecified other impact via a crafted application. (bnc#806980) CVE-2013-1797: Use-after-free vulnerability in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 allows guest OS users to cause a denial of service (host OS memory corruption) or possibly have unspecified other impact via a crafted application that triggers use of a guest physical address (GPA) in (1) movable or (2) removable memory during an MSR_KVM_SYSTEM_TIME kvm_set_msr_common operation. (bnc#806980) CVE-2013-1798: The ioapic_read_indirect function in virt/kvm/ioapic.c in the Linux kernel through 3.8.4 does not properly handle a certain combination of invalid IOAPIC_REG_SELECT and IOAPIC_REG_WINDOW operations, which allows guest OS users to obtain sensitive information from host OS memory or cause a denial of service (host OS OOPS) via a crafted application. (bnc#806980) CVE-2013-1827: net/dccp/ccid.h in the Linux kernel before 3.5.4 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a certain (1) sender or (2) receiver getsockopt call. (bnc#811354) CVE-2013-1928: The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linux kernel before 3.6.5 on unspecified architectures lacks a certain error check, which might allow local users to obtain sensitive information from kernel stack memory via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a /dev/dvb device. (bnc#813735) CVE-2013-1943: The KVM subsystem in the Linux kernel before 3.0 does not check whether kernel addresses are specified during allocation of memory slots for use in a guests physical address space, which allows local users to gain privileges or obtain sensitive information from kernel memory via a crafted application, related to arch/x86/kvm/paging_tmpl.h and virt/kvm/kvm_main.c. (bnc#828012) CVE-2013-2015: The ext4_orphan_del function in fs/ext4/namei.c in the Linux kernel before 3.7.3 does not properly handle orphan-list entries for non-journal filesystems, which allows physically proximate attackers to cause a denial of service (system hang) via a crafted filesystem on removable media, as demonstrated by the e2fsprogs tests/f_orphan_extents_inode/image.gz test. (bnc#817377) CVE-2013-2141: The do_tkill function in kernel/signal.c in the Linux kernel before 3.8.9 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call. (bnc#823267) CVE-2013-2147: The HP Smart Array controller disk-array driver and Compaq SMART2 controller disk-array driver in the Linux kernel through 3.9.4 do not initialize certain data structures, which allows local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device, related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c. (bnc#823260) CVE-2013-2164: The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive. (bnc#824295) CVE-2013-2232: The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface. (bnc#827750) CVE-2013-2234: The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket. (bnc#827749) CVE-2013-2237: The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel before 3.9 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket. (bnc#828119) CVE-2013-2634: net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#810473) CVE-2013-2851: Format string vulnerability in the register_disk function in block/genhd.c in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and writing format string specifiers to /sys/module/md_mod/parameters/new_array in order to create a crafted /dev/md device name. (bnc#822575) CVE-2013-2852: Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message. (bnc#822579) CVE-2013-2888: Multiple array index errors in drivers/hid/hid-core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11 allow physically proximate attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted device that provides an invalid Report ID. (bnc#835839) CVE-2013-2889: drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_ZEROPLUS is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device. (bnc#835839) CVE-2013-2892: drivers/hid/hid-pl.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_PANTHERLORD is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device. (bnc#835839) CVE-2013-2893: The Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device, related to (1) drivers/hid/hid-lgff.c, (2) drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c. (bnc#835839) CVE-2013-2897: Multiple array index errors in drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate attackers to cause a denial of service (heap memory corruption, or NULL pointer dereference and OOPS) via a crafted device. (bnc#835839) CVE-2013-2929: The Linux kernel before 3.12.2 does not properly use the get_dumpable function, which allows local users to bypass intended ptrace restrictions or obtain sensitive information from IA64 scratch registers via a crafted application, related to kernel/ptrace.c and arch/ia64/include/asm/processor.h. (bnc#847652) CVE-2013-3222: The vcc_recvmsg function in net/atm/common.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3223: The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3224: The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3225: The rfcomm_sock_recvmsg function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3228: The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3229: The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3231: The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3232: The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3234: The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3235: net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure and a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-4345: Off-by-one error in the get_prng_bytes function in crypto/ansi_cprng.c in the Linux kernel through 3.11.4 makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via multiple requests for small amounts of data, leading to improper management of the state of the consumed data. (bnc#840226) CVE-2013-4470: The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c. (bnc#847672) CVE-2013-4483: The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of service (memory consumption or system crash) via a crafted application. (bnc#848321) CVE-2013-4511: Multiple integer overflows in Alchemy LCD frame-buffer drivers in the Linux kernel before 3.12 allow local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted mmap operations, related to the (1) au1100fb_fb_mmap function in drivers/video/au1100fb.c and the (2) au1200fb_fb_mmap function in drivers/video/au1200fb.c. (bnc#849021) CVE-2013-4587: Array index error in the kvm_vm_ioctl_create_vcpu function in virt/kvm/kvm_main.c in the KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges via a large id value. (bnc#853050) CVE-2013-4588: Multiple stack-based buffer overflows in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 2.6.33, when CONFIG_IP_VS is used, allow local users to gain privileges by leveraging the CAP_NET_ADMIN capability for (1) a getsockopt system call, related to the do_ip_vs_get_ctl function, or (2) a setsockopt system call, related to the do_ip_vs_set_ctl function. (bnc#851095) CVE-2013-4591: Buffer overflow in the __nfs4_get_acl_uncached function in fs/nfs/nfs4proc.c in the Linux kernel before 3.7.2 allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via a getxattr system call for the system.nfs4_acl extended attribute of a pathname on an NFSv4 filesystem. (bnc#851103) CVE-2013-6367: The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via crafted modifications of the TMICT value. (bnc#853051) CVE-2013-6368: The KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges or cause a denial of service (system crash) via a VAPIC synchronization operation involving a page-end address. (bnc#853052) CVE-2013-6378: The lbs_debugfs_write function in drivers/net/wireless/libertas/debugfs.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service (OOPS) by leveraging root privileges for a zero-length write operation. (bnc#852559) CVE-2013-6383: The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call. (bnc#852558) CVE-2014-1444: The fst_get_iface function in drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call. (bnc#858869) CVE-2014-1445: The wanxl_ioctl function in drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an ioctl call. (bnc#858870) CVE-2014-1446: The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call. (bnc#858872) Also the following non-security bugs have been fixed : - x86: Clear HPET configuration registers on startup (bnc#748896). - sched: fix divide by zero in task_utime() (bnc#761774). - sched: Fix pick_next_highest_task_rt() for cgroups (bnc#760596). - mm: hugetlbfs: Close race during teardown of hugetlbfs shared page tables. - mm: hugetlbfs: Correctly detect if page tables have just been shared. (Fix bad PMD message displayed while using hugetlbfs (bnc#762366)). - cpumask: Partition_sched_domains takes array of cpumask_var_t (bnc#812364). - cpumask: Simplify sched_rt.c (bnc#812364). - kabi: protect bind_conflict callback in struct inet_connection_sock_af_ops (bnc#823618). - memcg: fix init_section_page_cgroup pfn alignment (bnc#835481). - tty: fix up atime/mtime mess, take three (bnc#797175). - tty: fix atime/mtime regression (bnc#815745). - ptrace: ptrace_resume() should not wake up !TASK_TRACED thread (bnc#804154). - kbuild: Fix gcc -x syntax (bnc#773831). - ftrace: Disable function tracing during suspend/resume and hibernation, again (bnc#768668). proc: fix pagemap_read() error case (bnc#787573). net: Upgrade device features irrespective of mask (bnc#715250). - tcp: bind() fix autoselection to share ports (bnc#823618). - tcp: bind() use stronger condition for bind_conflict (bnc#823618). - tcp: ipv6: bind() use stronger condition for bind_conflict (bnc#823618). - netfilter: use RCU safe kfree for conntrack extensions (bnc#827416). - netfilter: prevent race condition breaking net reference counting (bnc#835094). - netfilter: send ICMPv6 message on fragment reassembly timeout (bnc#773577). - netfilter: fix sending ICMPv6 on netfilter reassembly timeout (bnc#773577). - tcp_cubic: limit delayed_ack ratio to prevent divide error (bnc#810045). bonding: in balance-rr mode, set curr_active_slave only if it is up (bnc#789648). scsi: Add 'eh_deadline' to limit SCSI EH runtime (bnc#798050). - scsi: Allow error handling timeout to be specified (bnc#798050). - scsi: Fixup compilation warning (bnc#798050). - scsi: Retry failfast commands after EH (bnc#798050). - scsi: Warn on invalid command completion (bnc#798050). - scsi: Always retry internal target error (bnc#745640, bnc#825227). - scsi: kABI fixes (bnc#798050). - scsi: remove check for 'resetting' (bnc#798050). - scsi: Eliminate error handler overload of the SCSI serial number (bnc#798050). - scsi: Reduce error recovery time by reducing use of TURs (bnc#798050). - scsi: Reduce sequential pointer derefs in scsi_error.c and reduce size as well (bnc#798050). - scsi: cleanup setting task state in scsi_error_handler() (bnc#798050). - scsi: fix eh wakeup (scsi_schedule_eh vs scsi_restart_operations) (bnc#798050). scsi: fix id computation in scsi_eh_target_reset() (bnc#798050). advansys: Remove 'last_reset' references (bnc#798050). - dc395: Move 'last_reset' into internal host structure (bnc#798050). - dpt_i2o: Remove DPTI_STATE_IOCTL (bnc#798050). - dpt_i2o: return SCSI_MLQUEUE_HOST_BUSY when in reset (bnc#798050). - fc class: fix scanning when devs are offline (bnc#798050). tmscsim: Move 'last_reset' into host structure (bnc#798050). st: Store page order before driver buffer allocation (bnc#769644). - st: Increase success probability in driver buffer allocation (bnc#769644). st: work around broken __bio_add_page logic (bnc#769644). avoid race by ignoring flush_time in cache_check (bnc#814363). writeback: remove the internal 5% low bound on dirty_ratio - writeback: skip balance_dirty_pages() for in-memory fs (Do not dirty throttle ram-based filesystems (bnc#840858)). writeback: Do not sync data dirtied after sync start (bnc#833820). blkdev_max_block: make private to fs/buffer.c (bnc#820338). - vfs: avoid 'attempt to access beyond end of device' warnings (bnc#820338). vfs: fix O_DIRECT read past end of block device (bnc#820338). lib/radix-tree.c: make radix_tree_node_alloc() work correctly within interrupt (bnc#763463). xfs: allow writeback from kswapd (bnc#826707). - xfs: skip writeback from reclaim context (bnc#826707). - xfs: Serialize file-extending direct IO (bnc#818371). - xfs: Avoid pathological backwards allocation (bnc#805945). xfs: fix inode lookup race (bnc#763463). cifs: clarify the meaning of tcpStatus == CifsGood (bnc#776024). cifs: do not allow cifs_reconnect to exit with NULL socket pointer (bnc#776024). ocfs2: Add a missing journal credit in ocfs2_link_credits() -v2 (bnc#773320). usb: Fix deadlock in hid_reset when Dell iDRAC is reset (bnc#814716). usb: xhci: Fix command completion after a drop endpoint (bnc#807320). netiucv: Hold rtnl between name allocation and device registration (bnc#824159). rwsem: Test for no active locks in __rwsem_do_wake undo code (bnc#813276). nfs: NFSv3/v2: Fix data corruption with NFS short reads (bnc#818337). - nfs: Allow sec=none mounts in certain cases (bnc#795354). - nfs: Make nfsiod a multi-thread queue (bnc#815352). - nfs: increase number of permitted callback connections (bnc#771706). - nfs: Fix Oops in nfs_lookup_revalidate (bnc#780008). - nfs: do not allow TASK_KILLABLE sleeps to block the freezer (bnc#775182). nfs: Avoid race in d_splice_alias and vfs_rmdir (bnc#845028). svcrpc: take lock on turning entry NEGATIVE in cache_check (bnc#803320). - svcrpc: ensure cache_check caller sees updated entry (bnc#803320). - sunrpc/cache: remove races with queuing an upcall (bnc#803320). - sunrpc/cache: use cache_fresh_unlocked consistently and correctly (bnc#803320). - sunrpc/cache: ensure items removed from cache do not have pending upcalls (bnc#803320). - sunrpc/cache: do not schedule update on cache item that has been replaced (bnc#803320). sunrpc/cache: fix test in try_to_negate (bnc#803320). xenbus: fix overflow check in xenbus_dev_write(). - x86: do not corrupt %eip when returning from a signal handler. - scsiback/usbback: move cond_resched() invocations to proper place. netback: fix netbk_count_requests(). dm: add dm_deleting_md function (bnc#785016). - dm: bind new table before destroying old (bnc#785016). - dm: keep old table until after resume succeeded (bnc#785016). dm: rename dm_get_table to dm_get_live_table (bnc#785016). drm/edid: Fix up partially corrupted headers (bnc#780004). drm/edid: Retry EDID fetch up to four times (bnc#780004). i2c-algo-bit: Fix spurious SCL timeouts under heavy load (bnc#780004). hpilo: remove pci_disable_device (bnc#752544). mptsas: handle 'Initializing Command Required' ASCQ (bnc#782178). mpt2sas: Fix race on shutdown (bnc#856917). ipmi: decrease the IPMI message transaction time in interrupt mode (bnc#763654). - ipmi: simplify locking (bnc#763654). ipmi: use a tasklet for handling received messages (bnc#763654). bnx2x: bug fix when loading after SAN boot (bnc#714906). bnx2x: previous driver unload revised (bnc#714906). ixgbe: Address fact that RSC was not setting GSO size for incoming frames (bnc#776144). ixgbe: pull PSRTYPE configuration into a separate function (bnc#780572 bnc#773640 bnc#776144). e1000e: clear REQ and GNT in EECD (82571 && 82572) (bnc#762099). hpsa: do not attempt to read from a write-only register (bnc#777473). aio: Fixup kABI for the aio-implement-request-batching patch (bnc#772849). - aio: bump i_count instead of using igrab (bnc#772849). aio: implement request batching (bnc#772849). Driver core: Do not remove kobjects in device_shutdown (bnc#771992). resources: fix call to alignf() in allocate_resource() (bnc#744955). - resources: when allocate_resource() fails, leave resource untouched (bnc#744955). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-31
    plugin id 83611
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83611
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2014:0287-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2906.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2013-0343 George Kargiotakis reported an issue in the temporary address handling of the IPv6 privacy extensions. Users on the same LAN can cause a denial of service or obtain access to sensitive information by sending router advertisement messages that cause temporary address generation to be disabled. - CVE-2013-2147 Dan Carpenter reported issues in the cpqarray driver for Compaq Smart2 Controllers and the cciss driver for HP Smart Array controllers allowing users to gain access to sensitive kernel memory. - CVE-2013-2889 Kees Cook discovered missing input sanitization in the HID driver for Zeroplus game pads that could lead to a local denial of service. - CVE-2013-2893 Kees Cook discovered that missing input sanitization in the HID driver for various Logitech force feedback devices could lead to a local denial of service. - CVE-2013-2929 Vasily Kulikov discovered that a flaw in the get_dumpable() function of the ptrace subsytsem could lead to information disclosure. Only systems with the fs.suid_dumpable sysctl set to a non-default value of '2' are vulnerable. - CVE-2013-4162 Hannes Frederic Sowa discovered that incorrect handling of IPv6 sockets using the UDP_CORK option could result in denial of service. - CVE-2013-4299 Fujitsu reported an issue in the device-mapper subsystem. Local users could gain access to sensitive kernel memory. - CVE-2013-4345 Stephan Mueller found in bug in the ANSI pseudo random number generator which could lead to the use of less entropy than expected. - CVE-2013-4512 Nico Golde and Fabian Yamaguchi reported an issue in the user mode linux port. A buffer overflow condition exists in the write method for the /proc/exitcode file. Local users with sufficient privileges allowing them to write to this file could gain further elevated privileges. - CVE-2013-4587 Andrew Honig of Google reported an issue in the KVM virtualization subsystem. A local user could gain elevated privileges by passing a large vcpu_id parameter. - CVE-2013-6367 Andrew Honig of Google reported an issue in the KVM virtualization subsystem. A divide-by-zero condition could allow a guest user to cause a denial of service on the host (crash). - CVE-2013-6380 Mahesh Rajashekhara reported an issue in the aacraid driver for storage products from various vendors. Local users with CAP_SYS_ADMIN privileges could gain further elevated privileges. - CVE-2013-6381 Nico Golde and Fabian Yamaguchi reported an issue in the Gigabit Ethernet device support for s390 systems. Local users could cause a denial of service or gain elevated privileges via the SIOC_QETH_ADP_SET_SNMP_CONTROL ioctl. - CVE-2013-6382 Nico Golde and Fabian Yamaguchi reported an issue in the XFS filesystem. Local users with CAP_SYS_ADMIN privileges could gain further elevated privileges. - CVE-2013-6383 Dan Carpenter reported an issue in the aacraid driver for storage devices from various vendors. A local user could gain elevated privileges due to a missing privilege level check in the aac_compat_ioctl function. - CVE-2013-7263 CVE-2013-7264 CVE-2013-7265 mpb reported an information leak in the recvfrom, recvmmsg and recvmsg system calls. A local user could obtain access to sensitive kernel memory. - CVE-2013-7339 Sasha Levin reported an issue in the RDS network protocol over Infiniband. A local user could cause a denial of service condition. - CVE-2014-0101 Nokia Siemens Networks reported an issue in the SCTP network protocol subsystem. Remote users could cause a denial of service (NULL pointer dereference). - CVE-2014-1444 Salva Peiro reported an issue in the FarSync WAN driver. Local users with the CAP_NET_ADMIN capability could gain access to sensitive kernel memory. - CVE-2014-1445 Salva Peiro reported an issue in the wanXL serial card driver. Local users could gain access to sensitive kernel memory. - CVE-2014-1446 Salva Peiro reported an issue in the YAM radio modem driver. Local users with the CAP_NET_ADMIN capability could gain access to sensitive kernel memory. - CVE-2014-1874 Matthew Thode reported an issue in the SELinux subsystem. A local user with CAP_MAC_ADMIN privileges could cause a denial of service by setting an empty security context on a file. - CVE-2014-2039 Martin Schwidefsky reported an issue on s390 systems. A local user could cause a denial of service (kernel oops) by executing an application with a linkage stack instruction. - CVE-2014-2523 Daniel Borkmann provided a fix for an issue in the nf_conntrack_dccp module. Remote users could cause a denial of service (system crash) or potentially gain elevated privileges.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 73713
    published 2014-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=73713
    title Debian DSA-2906-1 : linux-2.6 - privilege escalation/denial of service/information leak
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2014-0536-1.NASL
    description The SUSE Linux Enterprise Server 10 Service Pack 4 LTSS kernel has been updated to fix various security issues and several bugs. The following security issues have been addressed : CVE-2011-2492: The bluetooth subsystem in the Linux kernel before 3.0-rc4 does not properly initialize certain data structures, which allows local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c. (bnc#702014) CVE-2011-2494: kernel/taskstats.c in the Linux kernel before 3.1 allows local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another user's password. (bnc#703156) CVE-2012-6537: net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability. (bnc#809889) CVE-2012-6539: The dev_ifconf function in net/socket.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809891) CVE-2012-6540: The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 3.6 does not initialize a certain structure for IP_VS_SO_GET_TIMEOUT commands, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809892) CVE-2012-6541: The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809893) CVE-2012-6542: The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel before 3.6 has an incorrect return value in certain circumstances, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that leverages an uninitialized pointer argument. (bnc#809894) CVE-2012-6544: The Bluetooth protocol stack in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation. (bnc#809898) CVE-2012-6545: The Bluetooth RFCOMM implementation in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application. (bnc#809899) CVE-2012-6546: The ATM implementation in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809900) CVE-2012-6547: The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809901) CVE-2012-6549: The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. (bnc#809903) CVE-2013-0343: The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.8 does not properly handle problems with the generation of IPv6 temporary addresses, which allows remote attackers to cause a denial of service (excessive retries and address-generation outage), and consequently obtain sensitive information, via ICMPv6 Router Advertisement (RA) messages. (bnc#805226) CVE-2013-0914: The flush_signal_handlers function in kernel/signal.c in the Linux kernel before 3.8.4 preserves the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call. (bnc#808827) CVE-2013-1827: net/dccp/ccid.h in the Linux kernel before 3.5.4 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a certain (1) sender or (2) receiver getsockopt call. (bnc#811354) CVE-2013-2141: The do_tkill function in kernel/signal.c in the Linux kernel before 3.8.9 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call. (bnc#823267) CVE-2013-2164: The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive. (bnc#824295) CVE-2013-2206: The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel before 3.8.5 does not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic. (bnc#826102) CVE-2013-2232: The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface. (bnc#827750) CVE-2013-2234: The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket. (bnc#827749) CVE-2013-2237: The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel before 3.9 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket. (bnc#828119) CVE-2013-2888: Multiple array index errors in drivers/hid/hid-core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11 allow physically proximate attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted device that provides an invalid Report ID. (bnc#835839) CVE-2013-2893: The Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device, related to (1) drivers/hid/hid-lgff.c, (2) drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c. (bnc#835839) CVE-2013-2897: Multiple array index errors in drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate attackers to cause a denial of service (heap memory corruption, or NULL pointer dereference and OOPS) via a crafted device. (bnc#835839) CVE-2013-3222: The vcc_recvmsg function in net/atm/common.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3223: The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3224: The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3228: The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3229: The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3231: The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3232: The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3234: The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3235: net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure and a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-4162: The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 implementation in the Linux kernel through 3.10.3 makes an incorrect function call for pending data, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call. (bnc#831058) CVE-2013-4387: net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not properly determine the need for UDP Fragmentation Offload (UFO) processing of small packets after the UFO queueing of a large packet, which allows remote attackers to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via network traffic that triggers a large response packet. (bnc#843430) CVE-2013-4470: The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c. (bnc#847672) CVE-2013-4483: The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of service (memory consumption or system crash) via a crafted application. (bnc#848321) CVE-2013-4588: Multiple stack-based buffer overflows in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 2.6.33, when CONFIG_IP_VS is used, allow local users to gain privileges by leveraging the CAP_NET_ADMIN capability for (1) a getsockopt system call, related to the do_ip_vs_get_ctl function, or (2) a setsockopt system call, related to the do_ip_vs_set_ctl function. (bnc#851095) CVE-2013-6383: The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call. (bnc#852558) CVE-2014-1444: The fst_get_iface function in drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call. (bnc#858869) CVE-2014-1445: The wanxl_ioctl function in drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an ioctl call. (bnc#858870) CVE-2014-1446: The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call. (bnc#858872) Also the following non-security bugs have been fixed : - kernel: Remove newline from execve audit log (bnc#827855). - kernel: sclp console hangs (bnc#830344, LTC#95711). - kernel: fix flush_tlb_kernel_range (bnc#825052, LTC#94745). kernel: lost IPIs on CPU hotplug (bnc#825052, LTC#94784). sctp: deal with multiple COOKIE_ECHO chunks (bnc#826102). - net: Uninline kfree_skb and allow NULL argument (bnc#853501). - netback: don't disconnect frontend when seeing oversize packet. netfront: reduce gso_max_size to account for max TCP header. fs/dcache: Avoid race in d_splice_alias and vfs_rmdir (bnc#845028). - fs/proc: proc_task_lookup() fix memory pinning (bnc#827362 bnc#849765). - blkdev_max_block: make private to fs/buffer.c (bnc#820338). - vfs: avoid 'attempt to access beyond end of device' warnings (bnc#820338). - vfs: fix O_DIRECT read past end of block device (bnc#820338). - cifs: don't use CIFSGetSrvInodeNumber in is_path_accessible (bnc#832603). - xfs: Fix kABI breakage caused by AIL list transformation (bnc#806219). - xfs: Replace custom AIL linked-list code with struct list_head (bnc#806219). - reiserfs: fix problems with chowning setuid file w/ xattrs (bnc#790920). - reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry (bnc#822722). jbd: Fix forever sleeping process in do_get_write_access() (bnc#827983). HID: check for NULL field when setting values (bnc#835839). - HID: provide a helper for validating hid reports (bnc#835839). - bcm43xx: netlink deadlock fix (bnc#850241). - bnx2: Close device if tx_timeout reset fails (bnc#857597). - xfrm: invalidate dst on policy insertion/deletion (bnc#842239). - xfrm: prevent ipcomp scratch buffer race condition (bnc#842239). - lpfc: Update to 8.2.0.106 (bnc#798050). - Make lpfc task management timeout configurable (bnc#798050). - dpt_i2o: Remove DPTI_STATE_IOCTL (bnc#798050). - dpt_i2o: return SCSI_MLQUEUE_HOST_BUSY when in reset (bnc#798050). - advansys: Remove 'last_reset' references (bnc#798050). - tmscsim: Move 'last_reset' into host structure (bnc#798050). dc395: Move 'last_reset' into internal host structure (bnc#798050). scsi: remove check for 'resetting' (bnc#798050). - scsi: Allow error handling timeout to be specified (bnc#798050). - scsi: Eliminate error handler overload of the SCSI serial number (bnc#798050). - scsi: Reduce sequential pointer derefs in scsi_error.c and reduce size as well (bnc#798050). - scsi: Reduce error recovery time by reducing use of TURs (bnc#798050). - scsi: fix eh wakeup (scsi_schedule_eh vs scsi_restart_operations) - scsi: cleanup setting task state in scsi_error_handler() (bnc#798050). - scsi: Add 'eh_deadline' to limit SCSI EH runtime (bnc#798050). - scsi: Fixup compilation warning (bnc#798050). - scsi: fc class: fix scanning when devs are offline (bnc#798050). - scsi: Warn on invalid command completion (bnc#798050). - scsi: Retry failfast commands after EH (bnc#798050). - scsi: kABI fixes (bnc#798050). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-03
    plugin id 83618
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83618
    title SUSE SLES10 Security Update : kernel (SUSE-SU-2014:0536-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-1072.NASL
    description The 3.12.8 stable update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 72031
    published 2014-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72031
    title Fedora 19 : kernel-3.12.8-200.fc19 (2014-1072)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2117-1.NASL
    description Saran Neti reported a flaw in the ipv6 UDP Fragmentation Offload (UFI) in the Linux kernel. A remote attacker could exploit this flaw to cause a denial of service (panic). (CVE-2013-4563) Mathy Vanhoef discovered an error in the the way the ath9k driver was handling the BSSID masking. A remote attacker could exploit this error to discover the original MAC address after a spoofing atack. (CVE-2013-4579) Andrew Honig reported a flaw in the Linux Kernel's kvm_vm_ioctl_create_vcpu function of the Kernel Virtual Machine (KVM) subsystem. A local user could exploit this flaw to gain privileges on the host machine. (CVE-2013-4587) Andrew Honig reported a flaw in the apic_get_tmcct function of the Kernel Virtual Machine (KVM) subsystem if the Linux kernel. A guest OS user could exploit this flaw to cause a denial of service or host OS system crash. (CVE-2013-6367) Andrew Honig reported an error in the Linux Kernel's Kernel Virtual Machine (KVM) VAPIC synchronization operation. A local user could exploit this flaw to gain privileges or cause a denial of service (system crash). (CVE-2013-6368) Lars Bull discovered a flaw in the recalculate_apic_map function of the Kernel Virtual Machine (KVM) subsystem in the Linux kernel. A guest OS user could exploit this flaw to cause a denial of service (host OS crash). (CVE-2013-6376) Nico Golde and Fabian Yamaguchi reported buffer underflow errors in the implementation of the XFS filesystem in the Linux kernel. A local user with CAP_SYS_ADMIN could exploit these flaw to cause a denial of service (memory corruption) or possibly other unspecified issues. (CVE-2013-6382) A flaw was discovered in the ipv4 ping_recvmsg function of the Linux kernel. A local user could exploit this flaw to cause a denial of service (NULL pointer dereference and system crash). (CVE-2013-6432) mpd reported an information leak in the recvfrom, recvmmsg, and recvmsg system calls in the Linux kernel. An unprivileged local user could exploit this flaw to obtain sensitive information from kernel stack memory. (CVE-2013-7263) mpb reported an information leak in the Layer Two Tunneling Protocol (l2tp) of the Linux kernel. A local user could exploit this flaw to obtain sensitive information from kernel stack memory. (CVE-2013-7264) mpb reported an information leak in the Phone Network protocol (phonet) in the Linux kernel. A local user could exploit this flaw to obtain sensitive information from kernel stack memory. (CVE-2013-7265) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with ISDN sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7266) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with apple talk sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7267) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with ipx protocol sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7268) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with the netrom address family in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7269) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with packet address family sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7270) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with x25 protocol sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7271) mpb reported an information leak in the Low-Rate Wireless Personal Area Networks support (IEEE 802.15.4) in the Linux kernel. A local user could exploit this flaw to obtain sensitive information from kernel stack memory. (CVE-2013-7281) halfdog reported an error in the AMD K7 and K8 platform support in the Linux kernel. An unprivileged local user could exploit this flaw on AMD based systems to cause a denial of service (task kill) or possibly gain privileges via a crafted application. (CVE-2014-1438) An information leak was discovered in the Linux kernel's hamradio YAM driver for AX.25 packet radio. A local user with the CAP_NET_ADMIN capability could exploit this flaw to obtain sensitive information from kernel memory. (CVE-2014-1446). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 72578
    published 2014-02-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72578
    title Ubuntu 13.10 : linux vulnerabilities (USN-2117-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2129-1.NASL
    description An information leak was discovered in the Linux kernel when inotify is used to monitor the /dev/ptmx device. A local user could exploit this flaw to discover keystroke timing and potentially discover sensitive information like password length. (CVE-2013-0160) Vasily Kulikov reported a flaw in the Linux kernel's implementation of ptrace. An unprivileged local user could exploit this flaw to obtain sensitive information from kernel memory. (CVE-2013-2929) Andrew Honig reported a flaw in the Linux Kernel's kvm_vm_ioctl_create_vcpu function of the Kernel Virtual Machine (KVM) subsystem. A local user could exploit this flaw to gain privileges on the host machine. (CVE-2013-4587) Andrew Honig reported a flaw in the apic_get_tmcct function of the Kernel Virtual Machine (KVM) subsystem if the Linux kernel. A guest OS user could exploit this flaw to cause a denial of service or host OS system crash. (CVE-2013-6367) Nico Golde and Fabian Yamaguchi reported a flaw in the driver for Adaptec AACRAID scsi raid devices in the Linux kernel. A local user could use this flaw to cause a denial of service or possibly other unspecified impact. (CVE-2013-6380) Nico Golde and Fabian Yamaguchi reported buffer underflow errors in the implementation of the XFS filesystem in the Linux kernel. A local user with CAP_SYS_ADMIN could exploit these flaw to cause a denial of service (memory corruption) or possibly other unspecified issues. (CVE-2013-6382) Evan Huus reported a buffer overflow in the Linux kernel's radiotap header parsing. A remote attacker could cause a denial of service (buffer over- read) via a specially crafted header. (CVE-2013-7027) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with ISDN sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7266) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with apple talk sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7267) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with ipx protocol sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7268) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with the netrom address family in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7269) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with packet address family sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7270) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with x25 protocol sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7271) An information leak was discovered in the Linux kernel's SIOCWANDEV ioctl call. A local user with the CAP_NET_ADMIN capability could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1444) An information leak was discovered in the wanxl ioctl function the Linux kernel. A local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1445) An information leak was discovered in the Linux kernel's hamradio YAM driver for AX.25 packet radio. A local user with the CAP_NET_ADMIN capability could exploit this flaw to obtain sensitive information from kernel memory. (CVE-2014-1446) Matthew Thode reported a denial of service vulnerability in the Linux kernel when SELinux support is enabled. A local user with the CAP_MAC_ADMIN capability (and the SELinux mac_admin permission if running in enforcing mode) could exploit this flaw to cause a denial of service (kernel crash). (CVE-2014-1874). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 72858
    published 2014-03-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72858
    title Ubuntu 10.04 LTS : linux-ec2 vulnerabilities (USN-2129-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2014-038.NASL
    description Multiple vulnerabilities has been found and corrected in the Linux kernel : The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter (CVE-2014-0038). The restore_fpu_checking function in arch/x86/include/asm/fpu-internal.h in the Linux kernel before 3.12.8 on the AMD K7 and K8 platforms does not clear pending exceptions before proceeding to an EMMS instruction, which allows local users to cause a denial of service (task kill) or possibly gain privileges via a crafted application (CVE-2014-1438). The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call (CVE-2014-1446). The updated packages provides a solution for these security issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 72553
    published 2014-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72553
    title Mandriva Linux Security Advisory : kernel (MDVSA-2014:038)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2014-0832-1.NASL
    description The SUSE Linux Enterprise Server 10 SP3 LTSS received a roll up update to fix several security and non-security issues. The following security issues have been fixed : CVE-2013-0343: The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.8 does not properly handle problems with the generation of IPv6 temporary addresses, which allows remote attackers to cause a denial of service (excessive retries and address-generation outage), and consequently obtain sensitive information, via ICMPv6 Router Advertisement (RA) messages. (bnc#805226) CVE-2013-2888: Multiple array index errors in drivers/hid/hid-core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11 allow physically proximate attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted device that provides an invalid Report ID. (bnc#835839) CVE-2013-2893: The Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device, related to (1) drivers/hid/hid-lgff.c, (2) drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c. (bnc#835839) CVE-2013-2897: Multiple array index errors in drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate attackers to cause a denial of service (heap memory corruption, or NULL pointer dereference and OOPS) via a crafted device. (bnc#835839) CVE-2013-4470: The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c. (bnc#847672) CVE-2013-4483: The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of service (memory consumption or system crash) via a crafted application. (bnc#848321) CVE-2013-4588: Multiple stack-based buffer overflows in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 2.6.33, when CONFIG_IP_VS is used, allow local users to gain privileges by leveraging the CAP_NET_ADMIN capability for (1) a getsockopt system call, related to the do_ip_vs_get_ctl function, or (2) a setsockopt system call, related to the do_ip_vs_set_ctl function. (bnc#851095) CVE-2013-6382: Multiple buffer underflows in the XFS implementation in the Linux kernel through 3.12.1 allow local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value, related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c. (bnc#852553) CVE-2013-6383: The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call. (bnc#852558) CVE-2013-7263: The Linux kernel before 3.12.4 updates certain length values before ensuring that associated data structures have been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c. (bnc#857643) CVE-2013-7264: The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#857643) CVE-2013-7265: The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#857643) CVE-2014-1444: The fst_get_iface function in drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call. (bnc#858869) CVE-2014-1445: The wanxl_ioctl function in drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an ioctl call. (bnc#858870) CVE-2014-1446: The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call. (bnc#858872) CVE-2014-1737: The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device. (bnc#875798) CVE-2014-1738: The raw_cmd_copyout function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly restrict access to certain pointers during processing of an FDRAWCMD ioctl call, which allows local users to obtain sensitive information from kernel heap memory by leveraging write access to a /dev/fd device. (bnc#875798) The following bugs have been fixed : - kernel: sclp console hangs (bnc#830344, LTC#95711, bnc#860304). - ia64: Change default PSR.ac from '1' to '0' (Fix erratum #237) (bnc#874108). - net: Uninline kfree_skb and allow NULL argument (bnc#853501). - tcp: syncookies: reduce cookie lifetime to 128 seconds (bnc#833968). - tcp: syncookies: reduce mss table to four values (bnc#833968). - udp: Fix bogus UFO packet generation (bnc#847672). - blkdev_max_block: make private to fs/buffer.c (bnc#820338). - vfs: avoid 'attempt to access beyond end of device' warnings (bnc#820338). - vfs: fix O_DIRECT read past end of block device (bnc#820338). - HID: check for NULL field when setting values (bnc#835839). - HID: provide a helper for validating hid reports (bnc#835839). - dl2k: Tighten ioctl permissions (bnc#758813). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-05-20
    plugin id 83628
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83628
    title SUSE SLES10 Security Update : kernel (SUSE-SU-2014:0832-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2133-1.NASL
    description Mathy Vanhoef discovered an error in the the way the ath9k driver was handling the BSSID masking. A remote attacker could exploit this error to discover the original MAC address after a spoofing atack. (CVE-2013-4579) Andrew Honig reported an error in the Linux Kernel's Kernel Virtual Machine (KVM) VAPIC synchronization operation. A local user could exploit this flaw to gain privileges or cause a denial of service (system crash). (CVE-2013-6368) halfdog reported an error in the AMD K7 and K8 platform support in the Linux kernel. An unprivileged local user could exploit this flaw on AMD based systems to cause a denial of service (task kill) or possibly gain privileges via a crafted application. (CVE-2014-1438) An information leak was discovered in the Linux kernel's hamradio YAM driver for AX.25 packet radio. A local user with the CAP_NET_ADMIN capability could exploit this flaw to obtain sensitive information from kernel memory. (CVE-2014-1446) Matthew Thode reported a denial of service vulnerability in the Linux kernel when SELinux support is enabled. A local user with the CAP_MAC_ADMIN capability (and the SELinux mac_admin permission if running in enforcing mode) could exploit this flaw to cause a denial of service (kernel crash). (CVE-2014-1874). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 72897
    published 2014-03-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72897
    title Ubuntu 12.04 LTS : linux vulnerabilities (USN-2133-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-375.NASL
    description This Linux kernel security update fixes various security issues and bugs. The Linux Kernel was updated to fix various security issues and bugs. Main security issues fixed : A security issue in the tty layer that was fixed that could be used by local attackers for code execution (CVE-2014-0196). Two security issues in the floppy driver were fixed that could be used by local attackers on machines with the floppy to crash the kernel or potentially execute code in the kernel (CVE-2014-1737 CVE-2014-1738). Other security issues and bugfixes : - netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper (bnc#860835 CVE-2014-1690). - net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH (bnc#866102, CVE-2014-0101). - [media] ivtv: Fix Oops when no firmware is loaded (bnc#875440). - ALSA: hda - Add dock pin setups for Thinkpad T440 (bnc#876699). - ip6tnl: fix double free of fb_tnl_dev on exit (bnc#876531). - Update arm config files: Enable all USB-to-serial drivers Specifically, enable USB_SERIAL_WISHBONE and USB_SERIAL_QT2 on all arm flavors. - mei: limit the number of consecutive resets (bnc#821619,bnc#852656). - mei: revamp mei reset state machine (bnc#821619,bnc#852656). - mei: use hbm idle state to prevent spurious resets (bnc#821619). - mei: do not run reset flow from the interrupt thread (bnc#821619,bnc#852656). - mei: don't get stuck in select during reset (bnc#821619). - mei: wake also writers on reset (bnc#821619). - mei: remove flash_work_queue (bnc#821619,bnc#852656). - mei: me: do not load the driver if the FW doesn't support MEI interface (bnc#821619). - Update ec2 config files: Disable CONFIG_CAN CAN support is disabled everywhere else, so disable it in ec2 too. - Refresh Xen patches (bnc#851244). - Update arm/exynos config file: disable AHCI_IMX This driver is only used on Freescale i.MX systems so it isn't needed on Exynos. - drm: Prefer noninterlace cmdline mode unless explicitly specified (bnc#853350). - kabi/severities: add exception for irda. The changes resulted in a 4x performance increase. Any external users of this API will also want to rebuild their modules. - i7core_edac: Fix PCI device reference count. - KABI: revert tcp: TSO packets automatic sizing. - KABI: revert tcp: TSQ can use a dynamic limit. - kabi: add exceptions for kvm and l2tp - patches.fixes/sunrpc-add-an-info-file-for-the-dummy-gssd -pipe.patch: Move include of utsname.h to where it's needed to avoid kABI breakage due to utsname becoming defined. - Update kabi files. The kABI references were never establishd at release. - Refresh patches.rpmify/chipidea-clean-up-dependencies Replace OF_DEVICE by OF (OF_DEVICE does not exist anymore.) - inet: fix addr_len/msg->msg_namelen assignment in recv_error and rxpmtu functions (bnc#857643 CVE-2013-7263 CVE-2013-7264 CVE-2013-7265). - inet: prevent leakage of uninitialized memory to user in recv syscalls (bnc#857643 CVE-2013-7263 CVE-2013-7264 CVE-2013-7265 CVE-2013-7281). - Update config files: re-enable twofish crypto support Software twofish crypto support was disabled in several architectures since openSUSE 10.3. For i386 and x86_64 it was on purpose, because hardware-accelerated alternatives exist. However for all other architectures it was by accident. Re-enable software twofish crypto support in arm, ia64 and ppc configuration files, to guarantee that at least one implementation is always available (bnc#871325). - kvm: optimize away THP checks in kvm_is_mmio_pfn() (bnc#871160). - Update patches.fixes/mm-close-PageTail-race.patch (bnc#871160). - Update patches.fixes/mm-hugetlbfs-fix-hugetlbfs-optimization.pa tch (bnc#871160). - mm: close PageTail race (bnc#81660). - mm: hugetlbfs: fix hugetlbfs optimization (bnc#81660). - Update config files: disable CONFIG_TOUCHSCREEN_W90X900 The w90p910_ts driver only makes sense on the W90x900 architecture, which we do not support. - ath9k: protect tid->sched check (bnc#871148,CVE-2014-2672). - Update ec2 config files: disable CONFIG_INPUT_FF_MEMLESS This helper module is useless on EC2. - SELinux: Fix kernel BUG on empty security contexts (bnc#863335,CVE-2014-1874). - hamradio/yam: fix info leak in ioctl (bnc#858872,CVE-2014-1446). - netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages (bnc#868653 CVE-2014-2523). - ath9k_htc: properly set MAC address and BSSID mask (bnc#851426,CVE-2013-4579). - drm/ttm: don't oops if no invalidate_caches() (bnc#869414). - Btrfs: do not bug_on if we try to cow a free space cache inode (bnc#863235). - Update vanilla config files: enable console rotation It's enabled in all other kernel flavors so it should be enabled in vanilla too. - Update config files. (CONFIG_EFIVAR_FS=m) Due to systemd can auto-load efivarfs.ko, so wet CONFIG_EFIVAR_FS to module on x86_64. - libata, freezer: avoid block device removal while system is frozen (bnc#849334). - Enable CONFIG_IRDA_FAST_RR=y (bnc#860502) - [media] bttv: don't setup the controls if there are no video devices (bnc#861750). - drm/i915/dp: add native aux defer retry limit (bnc#867718). - drm/i915/dp: increase native aux defer retry timeout (bnc#867718). - rpc_pipe: fix cleanup of dummy gssd directory when notification fails (bnc#862746). - sunrpc: add an 'info' file for the dummy gssd pipe (bnc#862746). - rpc_pipe: remove the clntXX dir if creating the pipe fails (bnc#862746). - Delete rpm/_constraints after mismerge Sat Mar 8 00:41:07 CET 2014 - jbohac@suse.cz - Refresh patches.fixes/tcp-syncookies-reduce-cookie-lifetime-to-1 28-seconds.patch. - tcp: syncookies: reduce cookie lifetime to 128 seconds (bnc#833968). - tcp: syncookies: reduce mss table to four values (bnc#833968). - rpm/mkspec: Generate a per-architecture per-package _constraints file - rpm/mkspec: Remove dead code - Refresh patches.fixes/rtc-cmos-add-an-alarm-disable-quirk.patch. - rtc-cmos: Add an alarm disable quirk (bnc#812592). - Refresh patches.xen/xen-x86-EFI. - Refresh patches.apparmor/apparmor-compatibility-patch-for-v5-net work-control. patches.drivers/pstore_disable_efi_backend_by_default.pa tch. patches.fixes/dm-table-switch-to-readonly. patches.fixes/kvm-ioapic.patch. patches.fixes/kvm-macos.patch. patches.fixes/remount-no-shrink-dcache. patches.fixes/scsi-dh-queuedata-accessors. patches.suse/0001-vfs-Hooks-for-more-fine-grained-direct ory-permission.patch. patches.suse/ovl01-vfs-add-i_op-dentry_open.patch. patches.suse/sd_init.mark_majors_busy.patch. - rpm/mkspec: Fix whitespace in NoSource lines - rpm/kernel-binary.spec.in: Do not zero modules.dep before using it (bnc#866075) - rpm/kernel-obs-build.spec: Drop useless ExclusiveArch statement - Update config files. Set CONFIG_EFIVAR_FS to build-in for MOK support Update config files. Set CONFIG_EFIVAR_FS to build-in for MOK support - nfs: always make sure page is up-to-date before extending a write to cover the entire page (bnc#864867 bnc#865075). - x86, cpu, amd: Add workaround for family 16h, erratum 793 (bnc#852967 CVE-2013-6885). - Refresh patches.xen/xen3-patch-3.10. - cifs: ensure that uncached writes handle unmapped areas correctly (bnc#864025 CVE-2014-0069). - x86, fpu, amd: Clear exceptions in AMD FXSAVE workaround (bnc#858638 CVE-2014-1438). - rpm/kernel-obs-build.spec: Do not mount /sys, the build script does it - Update config files: Disable TS5500-specific drivers These drivers are useless without TS5500 board support: mtd-ts5500, gpio-ts5500 and max197. - balloon: don't crash in HVM-with-PoD guests. - usbback: fix after c/s 1232:8806dfb939d4 (bnc#842553). - hwmon: (coretemp) Fix truncated name of alarm attributes. - rpm/kernel-obs-build.spec: Fix for ppc64le - Scripts: .nosrc.rpm should contain only the specfile (bnc #639379) - config: update arm7hl/exynos - Enhances exynos support : - Add USB support - Add sound support - Add devices (accelerometer, etc.) on arndale board - drm/cirrus: Fix cirrus drm driver for fbdev + qemu (bnc#856760). - Spec: zeroing modules.dep to get identical builds among different machines - doc/README.SUSE: Update to match the current package layout - Add the README.SUSE file to the packaging branch - lockd: send correct lock when granting a delayed lock (bnc#859342). - mm/page-writeback.c: do not count anon pages as dirtyable memory (reclaim stalls). - mm/page-writeback.c: fix dirty_balance_reserve subtraction from dirtyable memory (reclaim stalls).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75363
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75363
    title openSUSE Security Update : kernel (openSUSE-SU-2014:0678-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2136-1.NASL
    description Mathy Vanhoef discovered an error in the the way the ath9k driver was handling the BSSID masking. A remote attacker could exploit this error to discover the original MAC address after a spoofing atack. (CVE-2013-4579) Andrew Honig reported a flaw in the Linux Kernel's kvm_vm_ioctl_create_vcpu function of the Kernel Virtual Machine (KVM) subsystem. A local user could exploit this flaw to gain privileges on the host machine. (CVE-2013-4587) Andrew Honig reported a flaw in the apic_get_tmcct function of the Kernel Virtual Machine (KVM) subsystem if the Linux kernel. A guest OS user could exploit this flaw to cause a denial of service or host OS system crash. (CVE-2013-6367) Andrew Honig reported an error in the Linux Kernel's Kernel Virtual Machine (KVM) VAPIC synchronization operation. A local user could exploit this flaw to gain privileges or cause a denial of service (system crash). (CVE-2013-6368) Lars Bull discovered a flaw in the recalculate_apic_map function of the Kernel Virtual Machine (KVM) subsystem in the Linux kernel. A guest OS user could exploit this flaw to cause a denial of service (host OS crash). (CVE-2013-6376) Nico Golde and Fabian Yamaguchi reported a flaw in the driver for Adaptec AACRAID scsi raid devices in the Linux kernel. A local user could use this flaw to cause a denial of service or possibly other unspecified impact. (CVE-2013-6380) mpd reported an information leak in the recvfrom, recvmmsg, and recvmsg system calls in the Linux kernel. An unprivileged local user could exploit this flaw to obtain sensitive information from kernel stack memory. (CVE-2013-7263) mpb reported an information leak in the Layer Two Tunneling Protocol (l2tp) of the Linux kernel. A local user could exploit this flaw to obtain sensitive information from kernel stack memory. (CVE-2013-7264) mpb reported an information leak in the Phone Network protocol (phonet) in the Linux kernel. A local user could exploit this flaw to obtain sensitive information from kernel stack memory. (CVE-2013-7265) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with ISDN sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7266) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with apple talk sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7267) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with ipx protocol sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7268) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with the netrom address family in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7269) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with packet address family sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7270) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with x25 protocol sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7271) mpb reported an information leak in the Low-Rate Wireless Personal Area Networks support (IEEE 802.15.4) in the Linux kernel. A local user could exploit this flaw to obtain sensitive information from kernel stack memory. (CVE-2013-7281) halfdog reported an error in the AMD K7 and K8 platform support in the Linux kernel. An unprivileged local user could exploit this flaw on AMD based systems to cause a denial of service (task kill) or possibly gain privileges via a crafted application. (CVE-2014-1438) An information leak was discovered in the Linux kernel's hamradio YAM driver for AX.25 packet radio. A local user with the CAP_NET_ADMIN capability could exploit this flaw to obtain sensitive information from kernel memory. (CVE-2014-1446) Matthew Thode reported a denial of service vulnerability in the Linux kernel when SELinux support is enabled. A local user with the CAP_MAC_ADMIN capability (and the SELinux mac_admin permission if running in enforcing mode) could exploit this flaw to cause a denial of service (kernel crash). (CVE-2014-1874). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 72899
    published 2014-03-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72899
    title Ubuntu 12.04 LTS : linux-lts-raring vulnerabilities (USN-2136-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-376.NASL
    description The Linux Kernel was updated to fix various security issues and bugs. Main security issues fixed : A security issue in the tty layer that was fixed that could be used by local attackers for code execution (CVE-2014-0196). Two security issues in the floppy driver were fixed that could be used by local attackers on machines with the floppy to crash the kernel or potentially execute code in the kernel (CVE-2014-1737 CVE-2014-1738). Other security issues and bugs that were fixed : - netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper (bnc#860835 CVE-2014-1690). - net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH (bnc#866102, CVE-2014-0101). - n_tty: Fix a n_tty_write crash and code execution when echoing in raw mode (bnc#871252 bnc#875690 CVE-2014-0196). - netfilter: nf_ct_sip: support Cisco 7941/7945 IP phones (bnc#873717). - Update config files: re-enable twofish crypto support Software twofish crypto support was disabled in several architectures since openSUSE 10.3. For i386 and x86_64 it was on purpose, because hardware-accelerated alternatives exist. However for all other architectures it was by accident. Re-enable software twofish crypto support in arm, ia64 and ppc configuration files, to guarantee that at least one implementation is always available (bnc#871325). - Update config files: disable CONFIG_TOUCHSCREEN_W90X900 The w90p910_ts driver only makes sense on the W90x900 architecture, which we do not support. - ath9k: protect tid->sched check (bnc#871148,CVE-2014-2672). - Fix dst_neigh_lookup/dst_neigh_lookup_skb return value handling bug (bnc#869898). - SELinux: Fix kernel BUG on empty security contexts (bnc#863335,CVE-2014-1874). - hamradio/yam: fix info leak in ioctl (bnc#858872, CVE-2014-1446). - wanxl: fix info leak in ioctl (bnc#858870, CVE-2014-1445). - farsync: fix info leak in ioctl (bnc#858869, CVE-2014-1444). - ARM: 7809/1: perf: fix event validation for software group leaders (CVE-2013-4254, bnc#837111). - netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages (bnc#868653, CVE-2014-2523). - ath9k_htc: properly set MAC address and BSSID mask (bnc#851426, CVE-2013-4579). - drm/ttm: don't oops if no invalidate_caches() (bnc#869414). - Apply missing patches.fixes/drm-nouveau-hwmon-rename-fan0-to-fan1.patc h - xfs: growfs: use uncached buffers for new headers (bnc#858233). - xfs: use btree block initialisation functions in growfs (bnc#858233). - Revert 'Delete patches.fixes/xfs-fix-xfs_buf_find-oops-on-blocks-beyond -the-filesystem-end.' (bnc#858233) Put back again the patch patches.fixes/xfs-fix-xfs_buf_find-oops-on-blocks-beyond -the-filesystem-end back as there is a better fix than reverting the affecting patch. - Delete patches.fixes/xfs-fix-xfs_buf_find-oops-on-blocks-beyond -the-filesystem-end. It turned out that this patch causes regressions (bnc#858233) The upstream 3.7.x also reverted it in the end (commit c3793e0d94af2). - tcp: syncookies: reduce cookie lifetime to 128 seconds (bnc#833968). - tcp: syncookies: reduce mss table to four values (bnc#833968). - x86, cpu, amd: Add workaround for family 16h, erratum 793 (bnc#852967 CVE-2013-6885). - cifs: ensure that uncached writes handle unmapped areas correctly (bnc#864025 CVE-2014-0691). - x86, fpu, amd: Clear exceptions in AMD FXSAVE workaround (bnc#858638 CVE-2014-1438). - xencons: generalize use of add_preferred_console() (bnc#733022, bnc#852652). - balloon: don't crash in HVM-with-PoD guests. - hwmon: (coretemp) Fix truncated name of alarm attributes. - NFS: Avoid PUTROOTFH when managing leases (bnc#811746). - cifs: delay super block destruction until all cifsFileInfo objects are gone (bnc#862145).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75364
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75364
    title openSUSE Security Update : kernel (openSUSE-SU-2014:0677-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2113-1.NASL
    description Saran Neti reported a flaw in the ipv6 UDP Fragmentation Offload (UFI) in the Linux kernel. A remote attacker could exploit this flaw to cause a denial of service (panic). (CVE-2013-4563) Mathy Vanhoef discovered an error in the the way the ath9k driver was handling the BSSID masking. A remote attacker could exploit this error to discover the original MAC address after a spoofing atack. (CVE-2013-4579) Andrew Honig reported a flaw in the Linux Kernel's kvm_vm_ioctl_create_vcpu function of the Kernel Virtual Machine (KVM) subsystem. A local user could exploit this flaw to gain privileges on the host machine. (CVE-2013-4587) Andrew Honig reported a flaw in the apic_get_tmcct function of the Kernel Virtual Machine (KVM) subsystem if the Linux kernel. A guest OS user could exploit this flaw to cause a denial of service or host OS system crash. (CVE-2013-6367) Andrew Honig reported an error in the Linux Kernel's Kernel Virtual Machine (KVM) VAPIC synchronization operation. A local user could exploit this flaw to gain privileges or cause a denial of service (system crash). (CVE-2013-6368) Lars Bull discovered a flaw in the recalculate_apic_map function of the Kernel Virtual Machine (KVM) subsystem in the Linux kernel. A guest OS user could exploit this flaw to cause a denial of service (host OS crash). (CVE-2013-6376) Nico Golde and Fabian Yamaguchi reported buffer underflow errors in the implementation of the XFS filesystem in the Linux kernel. A local user with CAP_SYS_ADMIN could exploit these flaw to cause a denial of service (memory corruption) or possibly other unspecified issues. (CVE-2013-6382) A flaw was discovered in the ipv4 ping_recvmsg function of the Linux kernel. A local user could exploit this flaw to cause a denial of service (NULL pointer dereference and system crash). (CVE-2013-6432) mpd reported an information leak in the recvfrom, recvmmsg, and recvmsg system calls in the Linux kernel. An unprivileged local user could exploit this flaw to obtain sensitive information from kernel stack memory. (CVE-2013-7263) mpb reported an information leak in the Layer Two Tunneling Protocol (l2tp) of the Linux kernel. A local user could exploit this flaw to obtain sensitive information from kernel stack memory. (CVE-2013-7264) mpb reported an information leak in the Phone Network protocol (phonet) in the Linux kernel. A local user could exploit this flaw to obtain sensitive information from kernel stack memory. (CVE-2013-7265) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with ISDN sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7266) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with apple talk sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7267) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with ipx protocol sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7268) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with the netrom address family in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7269) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with packet address family sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7270) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with x25 protocol sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7271) mpb reported an information leak in the Low-Rate Wireless Personal Area Networks support (IEEE 802.15.4) in the Linux kernel. A local user could exploit this flaw to obtain sensitive information from kernel stack memory. (CVE-2013-7281) halfdog reported an error in the AMD K7 and K8 platform support in the Linux kernel. An unprivileged local user could exploit this flaw on AMD based systems to cause a denial of service (task kill) or possibly gain privileges via a crafted application. (CVE-2014-1438) An information leak was discovered in the Linux kernel's hamradio YAM driver for AX.25 packet radio. A local user with the CAP_NET_ADMIN capability could exploit this flaw to obtain sensitive information from kernel memory. (CVE-2014-1446). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 72576
    published 2014-02-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72576
    title Ubuntu 12.04 LTS : linux-lts-saucy vulnerabilities (USN-2113-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2138-1.NASL
    description Mathy Vanhoef discovered an error in the the way the ath9k driver was handling the BSSID masking. A remote attacker could exploit this error to discover the original MAC address after a spoofing atack. (CVE-2013-4579) Andrew Honig reported a flaw in the Linux Kernel's kvm_vm_ioctl_create_vcpu function of the Kernel Virtual Machine (KVM) subsystem. A local user could exploit this flaw to gain privileges on the host machine. (CVE-2013-4587) Andrew Honig reported a flaw in the apic_get_tmcct function of the Kernel Virtual Machine (KVM) subsystem if the Linux kernel. A guest OS user could exploit this flaw to cause a denial of service or host OS system crash. (CVE-2013-6367) Andrew Honig reported an error in the Linux Kernel's Kernel Virtual Machine (KVM) VAPIC synchronization operation. A local user could exploit this flaw to gain privileges or cause a denial of service (system crash). (CVE-2013-6368) Nico Golde and Fabian Yamaguchi reported buffer underflow errors in the implementation of the XFS filesystem in the Linux kernel. A local user with CAP_SYS_ADMIN could exploit these flaw to cause a denial of service (memory corruption) or possibly other unspecified issues. (CVE-2013-6382) mpd reported an information leak in the recvfrom, recvmmsg, and recvmsg system calls in the Linux kernel. An unprivileged local user could exploit this flaw to obtain sensitive information from kernel stack memory. (CVE-2013-7263) mpb reported an information leak in the Layer Two Tunneling Protocol (l2tp) of the Linux kernel. A local user could exploit this flaw to obtain sensitive information from kernel stack memory. (CVE-2013-7264) mpb reported an information leak in the Phone Network protocol (phonet) in the Linux kernel. A local user could exploit this flaw to obtain sensitive information from kernel stack memory. (CVE-2013-7265) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with ISDN sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7266) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with apple talk sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7267) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with ipx protocol sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7268) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with the netrom address family in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7269) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with packet address family sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7270) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with x25 protocol sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7271) mpb reported an information leak in the Low-Rate Wireless Personal Area Networks support (IEEE 802.15.4) in the Linux kernel. A local user could exploit this flaw to obtain sensitive information from kernel stack memory. (CVE-2013-7281) halfdog reported an error in the AMD K7 and K8 platform support in the Linux kernel. An unprivileged local user could exploit this flaw on AMD based systems to cause a denial of service (task kill) or possibly gain privileges via a crafted application. (CVE-2014-1438) An information leak was discovered in the Linux kernel's hamradio YAM driver for AX.25 packet radio. A local user with the CAP_NET_ADMIN capability could exploit this flaw to obtain sensitive information from kernel memory. (CVE-2014-1446) Matthew Thode reported a denial of service vulnerability in the Linux kernel when SELinux support is enabled. A local user with the CAP_MAC_ADMIN capability (and the SELinux mac_admin permission if running in enforcing mode) could exploit this flaw to cause a denial of service (kernel crash). (CVE-2014-1874). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 72901
    published 2014-03-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72901
    title Ubuntu 12.10 : linux vulnerabilities (USN-2138-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2135-1.NASL
    description Mathy Vanhoef discovered an error in the the way the ath9k driver was handling the BSSID masking. A remote attacker could exploit this error to discover the original MAC address after a spoofing atack. (CVE-2013-4579) Andrew Honig reported a flaw in the Linux Kernel's kvm_vm_ioctl_create_vcpu function of the Kernel Virtual Machine (KVM) subsystem. A local user could exploit this flaw to gain privileges on the host machine. (CVE-2013-4587) Andrew Honig reported a flaw in the apic_get_tmcct function of the Kernel Virtual Machine (KVM) subsystem if the Linux kernel. A guest OS user could exploit this flaw to cause a denial of service or host OS system crash. (CVE-2013-6367) Andrew Honig reported an error in the Linux Kernel's Kernel Virtual Machine (KVM) VAPIC synchronization operation. A local user could exploit this flaw to gain privileges or cause a denial of service (system crash). (CVE-2013-6368) Nico Golde and Fabian Yamaguchi reported buffer underflow errors in the implementation of the XFS filesystem in the Linux kernel. A local user with CAP_SYS_ADMIN could exploit these flaw to cause a denial of service (memory corruption) or possibly other unspecified issues. (CVE-2013-6382) mpd reported an information leak in the recvfrom, recvmmsg, and recvmsg system calls in the Linux kernel. An unprivileged local user could exploit this flaw to obtain sensitive information from kernel stack memory. (CVE-2013-7263) mpb reported an information leak in the Layer Two Tunneling Protocol (l2tp) of the Linux kernel. A local user could exploit this flaw to obtain sensitive information from kernel stack memory. (CVE-2013-7264) mpb reported an information leak in the Phone Network protocol (phonet) in the Linux kernel. A local user could exploit this flaw to obtain sensitive information from kernel stack memory. (CVE-2013-7265) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with ISDN sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7266) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with apple talk sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7267) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with ipx protocol sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7268) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with the netrom address family in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7269) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with packet address family sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7270) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with x25 protocol sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7271) mpb reported an information leak in the Low-Rate Wireless Personal Area Networks support (IEEE 802.15.4) in the Linux kernel. A local user could exploit this flaw to obtain sensitive information from kernel stack memory. (CVE-2013-7281) halfdog reported an error in the AMD K7 and K8 platform support in the Linux kernel. An unprivileged local user could exploit this flaw on AMD based systems to cause a denial of service (task kill) or possibly gain privileges via a crafted application. (CVE-2014-1438) An information leak was discovered in the Linux kernel's hamradio YAM driver for AX.25 packet radio. A local user with the CAP_NET_ADMIN capability could exploit this flaw to obtain sensitive information from kernel memory. (CVE-2014-1446) Matthew Thode reported a denial of service vulnerability in the Linux kernel when SELinux support is enabled. A local user with the CAP_MAC_ADMIN capability (and the SELinux mac_admin permission if running in enforcing mode) could exploit this flaw to cause a denial of service (kernel crash). (CVE-2014-1874). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 72898
    published 2014-03-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72898
    title Ubuntu 12.04 LTS : linux-lts-quantal vulnerabilities (USN-2135-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-1062.NASL
    description The 3.12.8 stable update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 72030
    published 2014-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72030
    title Fedora 20 : kernel-3.12.8-300.fc20 (2014-1062)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2128-1.NASL
    description An information leak was discovered in the Linux kernel when inotify is used to monitor the /dev/ptmx device. A local user could exploit this flaw to discover keystroke timing and potentially discover sensitive information like password length. (CVE-2013-0160) Vasily Kulikov reported a flaw in the Linux kernel's implementation of ptrace. An unprivileged local user could exploit this flaw to obtain sensitive information from kernel memory. (CVE-2013-2929) Andrew Honig reported a flaw in the Linux Kernel's kvm_vm_ioctl_create_vcpu function of the Kernel Virtual Machine (KVM) subsystem. A local user could exploit this flaw to gain privileges on the host machine. (CVE-2013-4587) Andrew Honig reported a flaw in the apic_get_tmcct function of the Kernel Virtual Machine (KVM) subsystem if the Linux kernel. A guest OS user could exploit this flaw to cause a denial of service or host OS system crash. (CVE-2013-6367) Nico Golde and Fabian Yamaguchi reported a flaw in the driver for Adaptec AACRAID scsi raid devices in the Linux kernel. A local user could use this flaw to cause a denial of service or possibly other unspecified impact. (CVE-2013-6380) Nico Golde and Fabian Yamaguchi reported buffer underflow errors in the implementation of the XFS filesystem in the Linux kernel. A local user with CAP_SYS_ADMIN could exploit these flaw to cause a denial of service (memory corruption) or possibly other unspecified issues. (CVE-2013-6382) Evan Huus reported a buffer overflow in the Linux kernel's radiotap header parsing. A remote attacker could cause a denial of service (buffer over- read) via a specially crafted header. (CVE-2013-7027) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with ISDN sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7266) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with apple talk sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7267) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with ipx protocol sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7268) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with the netrom address family in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7269) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with packet address family sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7270) An information leak was discovered in the recvfrom, recvmmsg, and recvmsg systemcalls when used with x25 protocol sockets in the Linux kernel. A local user could exploit this leak to obtain potentially sensitive information from kernel memory. (CVE-2013-7271) An information leak was discovered in the Linux kernel's SIOCWANDEV ioctl call. A local user with the CAP_NET_ADMIN capability could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1444) An information leak was discovered in the wanxl ioctl function the the Linux kernel. A local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1445) An information leak was discovered in the Linux kernel's hamradio YAM driver for AX.25 packet radio. A local user with the CAP_NET_ADMIN capability could exploit this flaw to obtain sensitive information from kernel memory. (CVE-2014-1446) Matthew Thode reported a denial of service vulnerability in the Linux kernel when SELinux support is enabled. A local user with the CAP_MAC_ADMIN capability (and the SELinux mac_admin permission if running in enforcing mode) could exploit this flaw to cause a denial of service (kernel crash). (CVE-2014-1874). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 72857
    published 2014-03-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72857
    title Ubuntu 10.04 LTS : linux vulnerabilities (USN-2128-1)
refmap via4
bid 64954
confirm
fedora
  • FEDORA-2014-1062
  • FEDORA-2014-1072
mandriva MDVSA-2014:038
mlist [oss-security] 20140115 Re: CVE request: assorted kernel infoleak security fixes
ubuntu
  • USN-2113-1
  • USN-2117-1
  • USN-2128-1
  • USN-2129-1
  • USN-2133-1
  • USN-2134-1
  • USN-2135-1
  • USN-2136-1
  • USN-2138-1
  • USN-2139-1
  • USN-2141-1
xf linux-kernel-cve20141446-info-disc(90445)
Last major update 16-03-2014 - 00:45
Published 18-01-2014 - 17:55
Last modified 28-08-2017 - 21:34
Back to Top