-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2013:291 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : kernel Date : December 17, 2013 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been found and corrected in the Linux kernel: The Linux kernel before 3.12.2 does not properly use the get_dumpable function, which allows local users to bypass intended ptrace restrictions or obtain sensitive information from IA64 scratch registers via a crafted application, related to kernel/ptrace.c and arch/ia64/include/asm/processor.h (CVE-2013-2929). The perf_trace_event_perm function in kernel/trace/trace_event_perf.c in the Linux kernel before 3.12.2 does not properly restrict access to the perf subsystem, which allows local users to enable function tracing via a crafted application (CVE-2013-2930). Multiple integer overflows in Alchemy LCD frame-buffer drivers in the Linux kernel before 3.12 allow local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted mmap operations, related to the (1) au1100fb_fb_mmap function in drivers/video/au1100fb.c and the (2) au1200fb_fb_mmap function in drivers/video/au1200fb.c (CVE-2013-4511). Buffer overflow in the exitcode_proc_write function in arch/um/kernel/exitcode.c in the Linux kernel before 3.12 allows local users to cause a denial of service or possibly have unspecified other impact by leveraging root privileges for a write operation (CVE-2013-4512). Multiple buffer overflows in drivers/staging/wlags49_h2/wl_priv.c in the Linux kernel before 3.12 allow local users to cause a denial of service or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability and providing a long station-name string, related to the (1) wvlan_uil_put_info and (2) wvlan_set_station_nickname functions (CVE-2013-4514). The bcm_char_ioctl function in drivers/staging/bcm/Bcmchar.c in the Linux kernel before 3.12 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an IOCTL_BCM_GET_DEVICE_DRIVER_INFO ioctl call (CVE-2013-4515). Memory leak in the __kvm_set_memory_region function in virt/kvm/kvm_main.c in the Linux kernel before 3.9 allows local users to cause a denial of service (memory consumption) by leveraging certain device access to trigger movement of memory slots (CVE-2013-4592). The lbs_debugfs_write function in drivers/net/wireless/libertas/debugfs.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service (OOPS) by leveraging root privileges for a zero-length write operation (CVE-2013-6378). The aac_send_raw_srb function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 3.12.1 does not properly validate a certain size value, which allows local users to cause a denial of service (invalid pointer dereference) or possibly have unspecified other impact via an FSACTL_SEND_RAW_SRB ioctl call that triggers a crafted SRB command (CVE-2013-6380). Buffer overflow in the qeth_snmp_command function in drivers/s390/net/qeth_core_main.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service or possibly have unspecified other impact via an SNMP ioctl call with a length value that is incompatible with the command-buffer size (CVE-2013-6381). The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call (CVE-2013-6383). The uio_mmap_physical function in drivers/uio/uio.c in the Linux kernel before 3.12 does not validate the size of a memory block, which allows local users to cause a denial of service (memory corruption) or possibly gain privileges via crafted mmap operations, a different vulnerability than CVE-2013-4511 (CVE-2013-6763). The updated packages provides a solution for these security issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2929 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2930 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4511 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4512 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4514 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4515 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4592 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6378 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6380 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6381 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6383 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6763 _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: b2ec18573cfce8e2c59f3837bee54986 mbs1/x86_64/cpupower-3.4.71-1.1.mbs1.x86_64.rpm 4223a45307eed3f34f1c2fc91e47b2bc mbs1/x86_64/kernel-firmware-3.4.71-1.1.mbs1.noarch.rpm 12ade5821162c60735934c7d8074abbf mbs1/x86_64/kernel-headers-3.4.71-1.1.mbs1.x86_64.rpm 596969c53ae7ef58106d58c3ddcda017 mbs1/x86_64/kernel-server-3.4.71-1.1.mbs1.x86_64.rpm 447b51d9b8056a545b56a7b2e4d10c00 mbs1/x86_64/kernel-server-devel-3.4.71-1.1.mbs1.x86_64.rpm ca6e8ac266deddfdb820498602d83562 mbs1/x86_64/kernel-source-3.4.71-1.mbs1.noarch.rpm 636862bf8abc059c22bf0f80192682c1 mbs1/x86_64/lib64cpupower0-3.4.71-1.1.mbs1.x86_64.rpm 68acfb49a9d72e5e64fe4a404b4de306 mbs1/x86_64/lib64cpupower-devel-3.4.71-1.1.mbs1.x86_64.rpm 4794fa50688c49af900d4b215e0b1a3b mbs1/x86_64/perf-3.4.71-1.1.mbs1.x86_64.rpm 08d165f0b55b13663fc83d23d9853c70 mbs1/SRPMS/cpupower-3.4.71-1.1.mbs1.src.rpm 1d536b477305aeacc465861b6cf27d36 mbs1/SRPMS/kernel-firmware-3.4.71-1.1.mbs1.src.rpm 7c454f625ecd42711dd7c1081db66adb mbs1/SRPMS/kernel-headers-3.4.71-1.1.mbs1.src.rpm d6dbb3c4025edf28de366a595bb70017 mbs1/SRPMS/kernel-server-3.4.71-1.1.mbs1.src.rpm ae18c854eb9d554cb1dbc8783836546b mbs1/SRPMS/kernel-source-3.4.71-1.mbs1.src.rpm 5d73b86d8323d5c682d1e840c3f5a1ee mbs1/SRPMS/perf-3.4.71-1.1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFSsHyomqjQ0CJFipgRAuHZAJ4iucAvE9Ujo1RPE3X19MQqW0bgMQCgyo1S xosocZxNYfjd7/v82ZxQHyM= =GSnA -----END PGP SIGNATURE-----