[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ MDVSA-2015:058 ] kernel



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:058
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : kernel
 Date    : March 13, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in the Linux
 kernel:
 
 The Crypto API in the Linux kernel before 3.18.5 allows local users
 to load arbitrary kernel modules via a bind system call for an
 AF_ALG socket with a module name in the salg_name field, a different
 vulnerability than CVE-2014-9644 (CVE-2013-7421).
 
 arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before
 3.17.2 on Intel processors does not ensure that the value in the CR4
 control register remains the same after a VM entry, which allows host
 OS users to kill arbitrary processes or cause a denial of service
 (system disruption) by leveraging /dev/kvm access, as demonstrated by
 PR_SET_TSC prctl calls within a modified copy of QEMU (CVE-2014-3690).
 
 arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation
 in the Linux kernel through 3.18.1 allows local users to bypass the
 espfix protection mechanism, and consequently makes it easier for
 local users to bypass the ASLR protection mechanism, via a crafted
 application that makes a set_thread_area system call and later reads
 a 16-bit value (CVE-2014-8133).
 
 net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before
 3.18 generates incorrect conntrack entries during handling of certain
 iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols,
 which allows remote attackers to bypass intended access restrictions
 via packets with disallowed port numbers (CVE-2014-8160).
 
 The Linux kernel through 3.17.4 does not properly restrict dropping
 of supplemental group memberships in certain namespace scenarios,
 which allows local users to bypass intended file permissions by
 leveraging a POSIX ACL containing an entry for the group category
 that is more restrictive than the entry for the other category, aka
 a negative groups issue, related to kernel/groups.c, kernel/uid16.c,
 and kernel/user_namespace.c (CVE-2014-8989).
 
 The __switch_to function in arch/x86/kernel/process_64.c in the Linux
 kernel through 3.18.1 does not ensure that Thread Local Storage (TLS)
 descriptors are loaded before proceeding with other steps, which makes
 it easier for local users to bypass the ASLR protection mechanism via
 a crafted application that reads a TLS base address (CVE-2014-9419).
 
 The rock_continue function in fs/isofs/rock.c in the Linux kernel
 through 3.18.1 does not restrict the number of Rock Ridge continuation
 entries, which allows local users to cause a denial of service
 (infinite loop, and system crash or hang) via a crafted iso9660 image
 (CVE-2014-9420).
 
 The batadv_frag_merge_packets function in
 net/batman-adv/fragmentation.c in the B.A.T.M.A.N. implementation in
 the Linux kernel through 3.18.1 uses an incorrect length field during
 a calculation of an amount of memory, which allows remote attackers
 to cause a denial of service (mesh-node system crash) via fragmented
 packets (CVE-2014-9428).
 
 Race condition in the key_gc_unused_keys function in security/keys/gc.c
 in the Linux kernel through 3.18.2 allows local users to cause a denial
 of service (memory corruption or panic) or possibly have unspecified
 other impact via keyctl commands that trigger access to a key structure
 member during garbage collection of a key (CVE-2014-9529).
 
 The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in
 the Linux kernel before 3.18.2 does not validate a length value in
 the Extensions Reference (ER) System Use Field, which allows local
 users to obtain sensitive information from kernel memory via a crafted
 iso9660 image (CVE-2014-9584).
 
 The vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel
 through 3.18.2 does not properly choose memory locations for the
 vDSO area, which makes it easier for local users to bypass the ASLR
 protection mechanism by guessing a location at the end of a PMD
 (CVE-2014-9585).
 
 The Crypto API in the Linux kernel before 3.18.5 allows local users
 to load arbitrary kernel modules via a bind system call for an
 AF_ALG socket with a parenthesized module template expression in
 the salg_name field, as demonstrated by the vfat(aes) expression,
 a different vulnerability than CVE-2013-7421 (CVE-2014-9644).
 
 Off-by-one error in the ecryptfs_decode_from_filename function in
 fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel
 before 3.18.2 allows local users to cause a denial of service (buffer
 overflow and system crash) or possibly gain privileges via a crafted
 filename (CVE-2014-9683).
 
 The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel
 before 3.18.5, when the guest OS lacks SYSENTER MSR initialization,
 allows guest OS users to gain guest OS privileges or cause a denial
 of service (guest OS crash) by triggering use of a 16-bit code segment
 for emulation of a SYSENTER instruction (CVE-2015-0239).
 
 The updated packages provides a solution for these security issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7421
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3690
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8133
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8160
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8989
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9419
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9420
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9428
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9529
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9584
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9585
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9644
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9683
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0239
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 2/X86_64:
 6f306fb57ce3b3ad55f8943360dfec98  mbs2/x86_64/cpupower-3.14.34-1.1.mbs2.x86_64.rpm
 f84a132ab6b669eba658d4815b1c521e  mbs2/x86_64/kernel-firmware-3.14.34-1.1.mbs2.noarch.rpm
 2e4ea08bde452e5cb230a192c1e47af1  mbs2/x86_64/kernel-headers-3.14.34-1.1.mbs2.x86_64.rpm
 eeabfc7de3b9ece90ea619a40d87528d  mbs2/x86_64/kernel-server-3.14.34-1.1.mbs2.x86_64.rpm
 94f51895d2f3079f26aa219772afcbda  mbs2/x86_64/kernel-server-devel-3.14.34-1.1.mbs2.x86_64.rpm
 857731401242a159adde6fe99fd293a6  mbs2/x86_64/kernel-source-3.14.34-1.mbs2.noarch.rpm
 c757d5a1fbffcb41b577bba95facbba9  mbs2/x86_64/lib64cpupower0-3.14.34-1.1.mbs2.x86_64.rpm
 70583be267db270c5d9db94f69f57979  mbs2/x86_64/lib64cpupower-devel-3.14.34-1.1.mbs2.x86_64.rpm 
 9eb5f24206ca5ed51b205d249677965e  mbs2/SRPMS/cpupower-3.14.34-1.1.mbs2.src.rpm
 092a138adebd64f55378936b50226b5f  mbs2/SRPMS/kernel-firmware-3.14.34-1.1.mbs2.src.rpm
 73c3623ee71e43be06060a252b1a10f9  mbs2/SRPMS/kernel-headers-3.14.34-1.1.mbs2.src.rpm
 9a0711a815ca145365c4a4a2867e6319  mbs2/SRPMS/kernel-server-3.14.34-1.1.mbs2.src.rpm
 acc64f8fceda5de2e8cbfb4c19c946c6  mbs2/SRPMS/kernel-source-3.14.34-1.mbs2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVAvCimqjQ0CJFipgRAiyPAKDVMJ5VedkEpCRpKZbvkTcFvCOyEQCeNDlL
vM0mHqNwa62tThwwyxIv8SI=
=i8d3
-----END PGP SIGNATURE-----