Bug 11472

Summary: Update request: kernel-vserver-3.4.69-1.mga2
Product: Mageia Reporter: Thomas Backlund <tmb>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, qa-bugs, sysadmin-bugs
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: advisory MGA2-64-OK MGA2-32-OK
Source RPM: kernel-vserver-3.4.69-1.mga2 CVE:
Status comment:

Description Thomas Backlund 2013-10-15 00:06:26 CEST 
Advisory and CVE list comes later, but you can start testing:

SRPM:
kernel-vserver-3.4.66-1.mga2.src.rpm



i586:
kernel-vserver-3.4.66-1.mga2-1-1.mga2.i586.rpm
kernel-vserver-devel-3.4.66-1.mga2-1-1.mga2.i586.rpm
kernel-vserver-devel-latest-3.4.66-1.mga2.i586.rpm
kernel-vserver-doc-3.4.66-1.mga2.noarch.rpm
kernel-vserver-latest-3.4.66-1.mga2.i586.rpm
kernel-vserver-source-3.4.66-1.mga2-1-1.mga2.noarch.rpm
kernel-vserver-source-latest-3.4.66-1.mga2.noarch.rpm



x86_64:
kernel-vserver-3.4.66-1.mga2-1-1.mga2.x86_64.rpm
kernel-vserver-devel-3.4.66-1.mga2-1-1.mga2.x86_64.rpm
kernel-vserver-devel-latest-3.4.66-1.mga2.x86_64.rpm
kernel-vserver-doc-3.4.66-1.mga2.noarch.rpm
kernel-vserver-latest-3.4.66-1.mga2.x86_64.rpm
kernel-vserver-source-3.4.66-1.mga2-1-1.mga2.noarch.rpm
kernel-vserver-source-latest-3.4.66-1.mga2.noarch.rpm


Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2013-11-07 22:37:01 CET 
Assigning Thomas for now. 

Please reassign to QA when when you've had a chance to take a look. 

Thanks.

CC: (none) => qa-bugs
Assignee: qa-bugs => tmb

Comment 2 Thomas Backlund 2013-11-18 09:08:24 CET 
new rpms to validate:


SRPM:
kernel-vserver-3.4.69-1.mga2.src.rpm



i586:
kernel-vserver-3.4.69-1.mga2-1-1.mga2.i586.rpm
kernel-vserver-devel-3.4.69-1.mga2-1-1.mga2.i586.rpm
kernel-vserver-devel-latest-3.4.69-1.mga2.i586.rpm
kernel-vserver-doc-3.4.69-1.mga2.noarch.rpm
kernel-vserver-latest-3.4.69-1.mga2.i586.rpm
kernel-vserver-source-3.4.69-1.mga2-1-1.mga2.noarch.rpm
kernel-vserver-source-latest-3.4.69-1.mga2.noarch.rpm



x86_64:
kernel-vserver-3.4.69-1.mga2-1-1.mga2.x86_64.rpm
kernel-vserver-devel-3.4.69-1.mga2-1-1.mga2.x86_64.rpm
kernel-vserver-devel-latest-3.4.69-1.mga2.x86_64.rpm
kernel-vserver-doc-3.4.69-1.mga2.noarch.rpm
kernel-vserver-latest-3.4.69-1.mga2.x86_64.rpm
kernel-vserver-source-3.4.69-1.mga2-1-1.mga2.noarch.rpm
kernel-vserver-source-latest-3.4.69-1.mga2.noarch.rpm

Assignee: tmb => qa-bugs
Summary: Update request: kernel-vserver-3.4.66-1.mga2 => Update request: kernel-vserver-3.4.69-1.mga2
Source RPM: kernel-vserver-3.4.66-1.mga2 => kernel-vserver-3.4.69-1.mga2

Comment 3 Thomas Backlund 2013-11-20 18:34:57 CET 

Advisory:

This kernel-vserver update provides the upstream 3.4.69 kernel and fixes
the following security issues:

The ext4_orphan_del function in fs/ext4/namei.c in the Linux
kernel before 3.7.3 does not properly handle orphan-list entries
for non-journal filesystems, which allows physically proximate
attackers to cause a denial of service (system hang) via a crafted
filesystem on removable media, as demonstrated by the e2fsprogs
tests/f_orphan_extents_inode/image.gz test (CVE-2013-2015).

Multiple array index errors in drivers/hid/hid-core.c in the Human
Interface Device (HID) subsystem in the Linux kernel through 3.11
allow physically proximate attackers to execute arbitrary code or
cause a denial of service (heap memory corruption) via a crafted
device that provides an invalid Report ID (CVE-2013-2888).
 
drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem
in the Linux kernel through 3.11, when CONFIG_HID_ZEROPLUS is enabled,
allows physically proximate attackers to cause a denial of service
(heap-based out-of-bounds write) via a crafted device (CVE-2013-2889).
 
drivers/hid/hid-pl.c in the Human Interface Device (HID) subsystem in
the Linux kernel through 3.11, when CONFIG_HID_PANTHERLORD is enabled,
allows physically proximate attackers to cause a denial of service
(heap-based out-of-bounds write) via a crafted device (CVE-2013-2892).

The Human Interface Device (HID) subsystem in the Linux kernel
through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or
CONFIG_LOGIWHEELS_FF is enabled, allows physically proximate
attackers to cause a denial of service (heap-based out-of-bounds
write) via a crafted device, related to (1) drivers/hid/hid-lgff.c,
(2) drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c
(CVE-2013-2893).

drivers/hid/hid-logitech-dj.c in the Human Interface Device (HID)
subsystem in the Linux kernel through 3.11, when CONFIG_HID_LOGITECH_DJ
is enabled, allows physically proximate attackers to cause a denial
of service (NULL pointer dereference and OOPS) or obtain sensitive
information from kernel memory via a crafted device (CVE-2013-2895).

drivers/hid/hid-ntrig.c in the Human Interface Device (HID)
subsystem in the Linux kernel through 3.11, when CONFIG_HID_NTRIG
is enabled, allows physically proximate attackers to cause a denial
of service (NULL pointer dereference and OOPS) via a crafted device
(CVE-2013-2896).

Multiple array index errors in drivers/hid/hid-multitouch.c in the
Human Interface Device (HID) subsystem in the Linux kernel through
3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate
attackers to cause a denial of service (heap memory corruption, or NULL
pointer dereference and OOPS) via a crafted device (CVE-2013-2897).

drivers/hid/hid-picolcd_core.c in the Human Interface Device (HID)
subsystem in the Linux kernel through 3.11, when CONFIG_HID_PICOLCD
is enabled, allows physically proximate attackers to cause a denial
of service (NULL pointer dereference and OOPS) via a crafted device
(CVE-2013-2899).

The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6
implementation in the Linux kernel through 3.10.3 makes an incorrect
function call for pending data, which allows local users to cause a
denial of service (BUG and system crash) via a crafted application that
uses the UDP_CORK option in a setsockopt system call (CVE-2013-4162).

The ip6_append_data_mtu function in net/ipv6/ip6_output.c in the IPv6
implementation in the Linux kernel through 3.10.3 does not properly
maintain information about whether the IPV6_MTU setsockopt option
had been specified, which allows local users to cause a denial of
service (BUG and system crash) via a crafted application that uses
the UDP_CORK option in a setsockopt system call (CVE-2013-4163).

The validate_event function in arch/arm/kernel/perf_event.c in the
Linux kernel before 3.10.8 on the ARM platform allows local users to
gain privileges or cause a denial of service (NULL pointer dereference
and system crash) by adding a hardware event to an event group led
by a software event (CVE-2013-4254)

The skb_flow_dissect function in net/core/flow_dissector.c in the
Linux kernel through 3.12 allows remote attackers to cause a denial
of service (infinite loop) via a small value in the IHL field of a
packet with IPIP encapsulation (CVE-2013-4348).
 
The IPv6 SCTP implementation in net/sctp/ipv6.c in the Linux kernel
through 3.11.1 uses data structures and function calls that do not
trigger an intended configuration of IPsec encryption, which allows
remote attackers to obtain sensitive information by sniffing the
network (CVE-2013-4350).

net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not
properly determine the need for UDP Fragmentation Offload (UFO)
processing of small packets after the UFO queueing of a large packet,
which allows remote attackers to cause a denial of service (memory
corruption and system crash) or possibly have unspecified other
impact via network traffic that triggers a large response packet
(CVE-2013-4387).

The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is
enabled, does not properly initialize certain data structures, which
allows local users to cause a denial of service (memory corruption and
system crash) or possibly gain privileges via a crafted application
that uses the UDP_CORK option in a setsockopt system call and
sends both short and long packets, related to the ip_ufo_append_data
function in net/ipv4/ip_output.c and the ip6_ufo_append_data function
in net/ipv6/ip6_output.c (CVE-2013-4470).
 
The ipc_rcu_putref function in ipc/util.c in the Linux kernel before
3.10 does not properly manage a reference count, which allows local
users to cause a denial of service (memory consumption or system crash)
via a crafted application (CVE-2013-4483).


For other -stable fixes, read the referenced changelogs.

References:
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.53
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.54
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.55
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.56
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.57
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.58
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.59
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.60
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.61
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.62
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.63
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.64
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.65
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.66
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.67
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.68
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.69
Dave Hodgins 2013-11-21 20:49:24 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Dave Hodgins 2013-11-22 01:17:06 CET

Keywords: (none) => validated_update
Whiteboard: advisory => advisory MGA2-64-OK MGA2-32-OK
CC: (none) => sysadmin-bugs

Comment 4 Thomas Backlund 2013-11-22 20:26:05 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0346.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED