Bug 11467 - Update request: kernel-vserver-3.10.24-2.mga3
Summary: Update request: kernel-vserver-3.10.24-2.mga3
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA3-64-OK MGA3-32-OK
Keywords: validated_update
Depends on: 11463
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-14 22:41 CEST by Thomas Backlund
Modified: 2013-12-18 00:49 CET (History)
4 users (show)

See Also:
Source RPM: kernel-vserver-3.10.24-2.mga3
CVE:
Status comment:


Attachments

Description Thomas Backlund 2013-10-14 22:41:38 CEST
Advisory and CVE list comes later, but you can start testing:

SRPM:
kernel-vserver-3.10.16-1.mga3.src.rpm

i586:
kernel-vserver-3.10.16-1.mga3-1-1.mga3.i586.rpm
kernel-vserver-devel-3.10.16-1.mga3-1-1.mga3.i586.rpm
kernel-vserver-devel-latest-3.10.16-1.mga3.i586.rpm
kernel-vserver-doc-3.10.16-1.mga3.noarch.rpm
kernel-vserver-latest-3.10.16-1.mga3.i586.rpm
kernel-vserver-source-3.10.16-1.mga3-1-1.mga3.noarch.rpm
kernel-vserver-source-latest-3.10.16-1.mga3.noarch.rpm

x86_64:
kernel-vserver-3.10.16-1.mga3-1-1.mga3.x86_64.rpm
kernel-vserver-devel-3.10.16-1.mga3-1-1.mga3.x86_64.rpm
kernel-vserver-devel-latest-3.10.16-1.mga3.x86_64.rpm
kernel-vserver-doc-3.10.16-1.mga3.noarch.rpm
kernel-vserver-latest-3.10.16-1.mga3.x86_64.rpm
kernel-vserver-source-3.10.16-1.mga3-1-1.mga3.noarch.rpm
kernel-vserver-source-latest-3.10.16-1.mga3.noarch.rpm


Reproducible: 

Steps to Reproduce:
Comment 1 Lewis Smith 2013-10-30 20:45:07 CET
Installed and using 3.10.16-vserver-1.mga3
 (kernel-vserver-3.10.16-1.mga3-1-1.mga3.i586.rpm
 =kernel-vserver-latest-3.10.16-1.mga3.i586.rpm)
with no visible problems.
Real h/w Asus m/b AMD Sempron 2500 1.5Gb IDE I/O SiS controllers, *no* Nvida/ATI/Intel graphics.
OK by me.

CC: (none) => lewyssmith

Comment 2 claire robinson 2013-11-07 22:40:34 CET
Assigning Thomas for now. 

Please reassign to QA when when you've had a chance to take a look. 

Thanks.

CC: (none) => qa-bugs
Assignee: qa-bugs => tmb

Comment 3 Thomas Backlund 2013-11-18 18:34:38 CET
Nwe rpms to validate:

SRPM:
kernel-vserver-3.10.19-1.mga3.src.rpm

i586:
kernel-vserver-3.10.19-1.mga3-1-1.mga3.i586.rpm
kernel-vserver-devel-3.10.19-1.mga3-1-1.mga3.i586.rpm
kernel-vserver-devel-latest-3.10.19-1.mga3.i586.rpm
kernel-vserver-doc-3.10.19-1.mga3.noarch.rpm
kernel-vserver-latest-3.10.19-1.mga3.i586.rpm
kernel-vserver-source-3.10.19-1.mga3-1-1.mga3.noarch.rpm
kernel-vserver-source-latest-3.10.19-1.mga3.noarch.rpm

x86_64:
kernel-vserver-3.10.19-1.mga3-1-1.mga3.x86_64.rpm
kernel-vserver-devel-3.10.19-1.mga3-1-1.mga3.x86_64.rpm
kernel-vserver-devel-latest-3.10.19-1.mga3.x86_64.rpm
kernel-vserver-doc-3.10.19-1.mga3.noarch.rpm
kernel-vserver-latest-3.10.19-1.mga3.x86_64.rpm
kernel-vserver-source-3.10.19-1.mga3-1-1.mga3.noarch.rpm
kernel-vserver-source-latest-3.10.19-1.mga3.noarch.rpm

Assignee: tmb => qa-bugs
Summary: Update request: kernel-vserver-3.10.16-1.mga3 => Update request: kernel-vserver-3.10.19-1.mga3
Source RPM: kernel-vserver-3.10.16-1.mga3 => kernel-vserver-3.10.19-1.mga3

Comment 4 Lewis Smith 2013-11-21 19:27:24 CET
kernel-vserver-3.10.19-1.mga3-1-1.mga3
on real 32-bit h/w (without famous difficult graphics) seems to start & work OK for me - very little used, so this confirmation carries little weight.
Comment 5 Thomas Backlund 2013-11-21 21:07:13 CET
Advisory:

This kernel-vserver update provides an update to the 3.10 longterm branch,
currently 3.10.19 and fixes the following security issues:

The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the Linux kernel
through 3.10 does not properly handle problems with the generation of IPv6
temporary addresses, which allows remote attackers to cause a denial of
service (excessive retries and address-generation outage), and consequently
obtain sensitive information, via ICMPv6 Router Advertisement (RA) messages.
(CVE-2013-0343)

net/ceph/auth_none.c in the Linux kernel through 3.10 allows remote attackers
to cause a denial of service (NULL pointer dereference and system crash) or
possibly have unspecified other impact via an auth_reply message that
triggers an attempted build_request operation. (CVE-2013-1059)

The dispatch_discard_io function in drivers/block/xen-blkback/blkback.c in
the Xen blkback implementation in the Linux kernel before 3.10.5 allows guest
OS users to cause a denial of service (data loss) via filesystem write
operations on a read-only disk that supports the (1) BLKIF_OP_DISCARD
(aka discard or TRIM) or (2) SCSI UNMAP feature. (CVE-2013-2140)

The HP Smart Array controller disk-array driver and Compaq SMART2 controller
disk-array driver in the Linux kernel through 3.9.4 do not initialize certain
data structures, which allows local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device,
related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2)
a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c. (CVE-2013-2147)

Format string vulnerability in the register_disk function in block/genhd.c
in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and writing format string specifiers to
/sys/module/md_mod/parameters/new_array in order to create a crafted /dev/md
device name. (CVE-2013-2851)

Multiple array index errors in drivers/hid/hid-core.c in the Human
Interface Device (HID) subsystem in the Linux kernel through 3.11
allow physically proximate attackers to execute arbitrary code or
cause a denial of service (heap memory corruption) via a crafted
device that provides an invalid Report ID (CVE-2013-2888).
 
drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem
in the Linux kernel through 3.11, when CONFIG_HID_ZEROPLUS is enabled,
allows physically proximate attackers to cause a denial of service
(heap-based out-of-bounds write) via a crafted device (CVE-2013-2889).
 
drivers/hid/hid-steelseries.c in the Human Interface Device (HID) subsystem
in the Linux kernel through 3.11, when CONFIG_HID_STEELSERIES is enabled,
allows physically proximate attackers to cause a denial of service
(heap-based out-of-bounds write) via a crafted device. (CVE-2013-2891)

drivers/hid/hid-pl.c in the Human Interface Device (HID) subsystem in
the Linux kernel through 3.11, when CONFIG_HID_PANTHERLORD is enabled,
allows physically proximate attackers to cause a denial of service
(heap-based out-of-bounds write) via a crafted device (CVE-2013-2892).

The Human Interface Device (HID) subsystem in the Linux kernel
through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or
CONFIG_LOGIWHEELS_FF is enabled, allows physically proximate
attackers to cause a denial of service (heap-based out-of-bounds
write) via a crafted device, related to (1) drivers/hid/hid-lgff.c,
(2) drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c
(CVE-2013-2893).

drivers/hid/hid-lenovo-tpkbd.c in the Human Interface Device (HID) subsystem
in the Linux kernel through 3.11, when CONFIG_HID_LENOVO_TPKBD is enabled,
allows physically proximate attackers to cause a denial of service
(heap-based out-of-bounds write) via a crafted device. (CVE-2013-2894)

drivers/hid/hid-logitech-dj.c in the Human Interface Device (HID)
subsystem in the Linux kernel through 3.11, when CONFIG_HID_LOGITECH_DJ
is enabled, allows physically proximate attackers to cause a denial
of service (NULL pointer dereference and OOPS) or obtain sensitive
information from kernel memory via a crafted device (CVE-2013-2895).

drivers/hid/hid-ntrig.c in the Human Interface Device (HID)
subsystem in the Linux kernel through 3.11, when CONFIG_HID_NTRIG
is enabled, allows physically proximate attackers to cause a denial
of service (NULL pointer dereference and OOPS) via a crafted device
(CVE-2013-2896).

Multiple array index errors in drivers/hid/hid-multitouch.c in the
Human Interface Device (HID) subsystem in the Linux kernel through
3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate
attackers to cause a denial of service (heap memory corruption, or NULL
pointer dereference and OOPS) via a crafted device (CVE-2013-2897).

drivers/hid/hid-sensor-hub.c in the Human Interface Device (HID) subsystem
in the Linux kernel through 3.11, when CONFIG_HID_SENSOR_HUB is enabled,
allows physically proximate attackers to obtain sensitive information from
kernel memory via a crafted device. (CVE-2013-2898)

drivers/hid/hid-picolcd_core.c in the Human Interface Device (HID)
subsystem in the Linux kernel through 3.11, when CONFIG_HID_PICOLCD
is enabled, allows physically proximate attackers to cause a denial
of service (NULL pointer dereference and OOPS) via a crafted device
(CVE-2013-2899).

The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6
implementation in the Linux kernel through 3.10.3 makes an incorrect
function call for pending data, which allows local users to cause a
denial of service (BUG and system crash) via a crafted application that
uses the UDP_CORK option in a setsockopt system call (CVE-2013-4162).

The ip6_append_data_mtu function in net/ipv6/ip6_output.c in the IPv6
implementation in the Linux kernel through 3.10.3 does not properly
maintain information about whether the IPV6_MTU setsockopt option
had been specified, which allows local users to cause a denial of
service (BUG and system crash) via a crafted application that uses
the UDP_CORK option in a setsockopt system call (CVE-2013-4163).

The validate_event function in arch/arm/kernel/perf_event.c in the
Linux kernel before 3.10.8 on the ARM platform allows local users to
gain privileges or cause a denial of service (NULL pointer dereference
and system crash) by adding a hardware event to an event group led
by a software event (CVE-2013-4254)

Interpretation conflict in drivers/md/dm-snap-persistent.c in the Linux
kernel through 3.11.6 allows remote authenticated users to obtain sensitive information or modify data via a crafted mapping to a snapshot block device. (CVE-2013-4299)

The skb_flow_dissect function in net/core/flow_dissector.c in the
Linux kernel through 3.12 allows remote attackers to cause a denial
of service (infinite loop) via a small value in the IHL field of a
packet with IPIP encapsulation (CVE-2013-4348).
 
The IPv6 SCTP implementation in net/sctp/ipv6.c in the Linux kernel
through 3.11.1 uses data structures and function calls that do not
trigger an intended configuration of IPsec encryption, which allows
remote attackers to obtain sensitive information by sniffing the
network (CVE-2013-4350).

net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not
properly determine the need for UDP Fragmentation Offload (UFO)
processing of small packets after the UFO queueing of a large packet,
which allows remote attackers to cause a denial of service (memory
corruption and system crash) or possibly have unspecified other
impact via network traffic that triggers a large response packet
(CVE-2013-4387).

The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is
enabled, does not properly initialize certain data structures, which
allows local users to cause a denial of service (memory corruption and
system crash) or possibly gain privileges via a crafted application
that uses the UDP_CORK option in a setsockopt system call and
sends both short and long packets, related to the ip_ufo_append_data
function in net/ipv4/ip_output.c and the ip6_ufo_append_data function
in net/ipv6/ip6_output.c (CVE-2013-4470).

Other fixes:
- The vserver patch has been updated to vs2.3.6.8.
- cpufreq: ondemand: Change the calculation of target frequency

For other -stable fixes, read the referenced changelogs.

References:
http://kernelnewbies.org/Linux_3.9
http://kernelnewbies.org/Linux_3.10
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.1
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.2
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.3
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.4
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.5
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.6
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.7
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.8
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.9
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.10
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.11
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.12
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.13
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.14
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.15
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.16
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.17
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.18
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.19
Dave Hodgins 2013-11-22 01:13:45 CET

Keywords: (none) => validated_update
Whiteboard: (none) => advisory MGA3-64-OK MGA3-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Thomas Backlund 2013-11-22 20:51:38 CET

Depends on: (none) => 11463

Comment 6 Thomas Backlund 2013-12-05 20:47:46 CET
All rolled up to 3.10.22, additional fixes:

- squash additional cves: CVE-2013-2929, CVE-2013-2930, + yet another ipc fix 
- includes an acpi backlight fix that helps hw that sets it to off/0

SRPM:
kernel-vserver-3.10.22-1.mga3.src.rpm

i586:
kernel-vserver-3.10.22-1.mga3-1-1.mga3.i586.rpm
kernel-vserver-devel-3.10.22-1.mga3-1-1.mga3.i586.rpm
kernel-vserver-devel-latest-3.10.22-1.mga3.i586.rpm
kernel-vserver-doc-3.10.22-1.mga3.noarch.rpm
kernel-vserver-latest-3.10.22-1.mga3.i586.rpm
kernel-vserver-source-3.10.22-1.mga3-1-1.mga3.noarch.rpm
kernel-vserver-source-latest-3.10.22-1.mga3.noarch.rpm

x86_64:
kernel-vserver-3.10.22-1.mga3-1-1.mga3.x86_64.rpm
kernel-vserver-devel-3.10.22-1.mga3-1-1.mga3.x86_64.rpm
kernel-vserver-devel-latest-3.10.22-1.mga3.x86_64.rpm
kernel-vserver-doc-3.10.22-1.mga3.noarch.rpm
kernel-vserver-latest-3.10.22-1.mga3.x86_64.rpm
kernel-vserver-source-3.10.22-1.mga3-1-1.mga3.noarch.rpm
kernel-vserver-source-latest-3.10.22-1.mga3.noarch.rpm

Keywords: validated_update => (none)
Summary: Update request: kernel-vserver-3.10.19-1.mga3 => Update request: kernel-vserver-3.10.22-1.mga3
Source RPM: kernel-vserver-3.10.19-1.mga3 => kernel-vserver-3.10.22-1.mga3
Whiteboard: advisory MGA3-64-OK MGA3-32-OK => (none)

Comment 7 Thomas Backlund 2013-12-12 20:57:23 CET
All rolled up to 3.10.24, for more security fixes, no CVE yet

SRPM:
kernel-vserver-3.10.24-1.mga3.src.rpm

i586:
kernel-vserver-3.10.24-1.mga3-1-1.mga3.i586.rpm
kernel-vserver-devel-3.10.24-1.mga3-1-1.mga3.i586.rpm
kernel-vserver-devel-latest-3.10.24-1.mga3.i586.rpm
kernel-vserver-doc-3.10.24-1.mga3.noarch.rpm
kernel-vserver-latest-3.10.24-1.mga3.i586.rpm
kernel-vserver-source-3.10.24-1.mga3-1-1.mga3.noarch.rpm
kernel-vserver-source-latest-3.10.24-1.mga3.noarch.rpm

x86_64:
kernel-vserver-3.10.24-1.mga3-1-1.mga3.x86_64.rpm
kernel-vserver-devel-3.10.24-1.mga3-1-1.mga3.x86_64.rpm
kernel-vserver-devel-latest-3.10.24-1.mga3.x86_64.rpm
kernel-vserver-doc-3.10.24-1.mga3.noarch.rpm
kernel-vserver-latest-3.10.24-1.mga3.x86_64.rpm
kernel-vserver-source-3.10.24-1.mga3-1-1.mga3.noarch.rpm
kernel-vserver-source-latest-3.10.24-1.mga3.noarch.rpm

Summary: Update request: kernel-vserver-3.10.22-1.mga3 => Update request: kernel-vserver-3.10.24-1.mga3
Source RPM: kernel-vserver-3.10.22-1.mga3 => kernel-vserver-3.10.24-1.mga3

Comment 8 Thomas Backlund 2013-12-13 23:00:38 CET
upstream kernels also fixed:
CVE-2013-6378
CVE-2013-6379
CVE-2013-6380
CVE-2013-6381
CVE-2013-6383
Comment 9 Thomas Backlund 2013-12-13 23:03:38 CET
I've added patches for:
- kvm: division by zero in apic_get_tmcct() (CVE-2013-6367)
- kvm: cross page vapic_addr access (CVE-2013-6368)
- kvm: BUG_ON() in apic_cluster_id() (CVE-2013-6376)
- xfs: underflow bug in xfs_attrlist_by_handle() (CVE-2013-6382)
- xfs: add capability check to free eofblocks ioctl (CVE pending)

rpms to validate:

SRPM:
kernel-vserver-3.10.24-2.mga3.src.rpm

i586:
kernel-vserver-3.10.24-2.mga3-1-1.mga3.i586.rpm
kernel-vserver-devel-3.10.24-2.mga3-1-1.mga3.i586.rpm
kernel-vserver-devel-latest-3.10.24-2.mga3.i586.rpm
kernel-vserver-doc-3.10.24-2.mga3.noarch.rpm
kernel-vserver-latest-3.10.24-2.mga3.i586.rpm
kernel-vserver-source-3.10.24-2.mga3-1-1.mga3.noarch.rpm
kernel-vserver-source-latest-3.10.24-2.mga3.noarch.rpm

x86_64:
kernel-vserver-3.10.24-2.mga3-1-1.mga3.x86_64.rpm
kernel-vserver-devel-3.10.24-2.mga3-1-1.mga3.x86_64.rpm
kernel-vserver-devel-latest-3.10.24-2.mga3.x86_64.rpm
kernel-vserver-doc-3.10.24-2.mga3.noarch.rpm
kernel-vserver-latest-3.10.24-2.mga3.x86_64.rpm
kernel-vserver-source-3.10.24-2.mga3-1-1.mga3.noarch.rpm
kernel-vserver-source-latest-3.10.24-2.mga3.noarch.rpm

Summary: Update request: kernel-vserver-3.10.24-1.mga3 => Update request: kernel-vserver-3.10.24-2.mga3
Source RPM: kernel-vserver-3.10.24-1.mga3 => kernel-vserver-3.10.24-2.mga3

Comment 10 Dave Hodgins 2013-12-16 21:17:24 CET
Regression found. With 3.10.24-vserver-2.mga3, loading a dkms module such as
fglrx, fails with
modprobe: ERROR: could not insert 'fglrx': Exec format error
on both i586 and x86_64.

While this was normal with the Mageia 2 vserver kernels, the modules loaded ok
with 3.7.10-vserver-1.mga3 and 3.10.19-vserver-1.mga3.

With the Core Updates kernels, this only happens on i586 with the
3.8.13.4-0.rt14.2.mga3 kernel. It doesn't happen with the 3.10.19-0.rt14.1.mga3
kernel.

Whiteboard: (none) => feedback

Comment 11 Thomas Backlund 2013-12-17 21:07:00 CET
I think we should push this as is this time as most if not all vserver users does not install fglrx, and there is some important security issues fixed.

I will look into finding out if the fglrx stuff can be fixed for next time...


Updated advisory:

This kernel-vserver update provides an update to the 3.10 longterm branch,
currently 3.10.24 and fixes the following security issues:

The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the Linux kernel
through 3.10 does not properly handle problems with the generation of IPv6
temporary addresses, which allows remote attackers to cause a denial of
service (excessive retries and address-generation outage), and consequently
obtain sensitive information, via ICMPv6 Router Advertisement (RA) messages.
(CVE-2013-0343)

net/ceph/auth_none.c in the Linux kernel through 3.10 allows remote attackers
to cause a denial of service (NULL pointer dereference and system crash) or
possibly have unspecified other impact via an auth_reply message that
triggers an attempted build_request operation. (CVE-2013-1059)

The dispatch_discard_io function in drivers/block/xen-blkback/blkback.c in
the Xen blkback implementation in the Linux kernel before 3.10.5 allows guest
OS users to cause a denial of service (data loss) via filesystem write
operations on a read-only disk that supports the (1) BLKIF_OP_DISCARD
(aka discard or TRIM) or (2) SCSI UNMAP feature. (CVE-2013-2140)

The HP Smart Array controller disk-array driver and Compaq SMART2 controller
disk-array driver in the Linux kernel through 3.9.4 do not initialize certain
data structures, which allows local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device,
related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2)
a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c. (CVE-2013-2147)

Format string vulnerability in the register_disk function in block/genhd.c
in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and writing format string specifiers to
/sys/module/md_mod/parameters/new_array in order to create a crafted /dev/md
device name. (CVE-2013-2851)

Multiple array index errors in drivers/hid/hid-core.c in the Human
Interface Device (HID) subsystem in the Linux kernel through 3.11
allow physically proximate attackers to execute arbitrary code or
cause a denial of service (heap memory corruption) via a crafted
device that provides an invalid Report ID (CVE-2013-2888).
 
drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem
in the Linux kernel through 3.11, when CONFIG_HID_ZEROPLUS is enabled,
allows physically proximate attackers to cause a denial of service
(heap-based out-of-bounds write) via a crafted device (CVE-2013-2889).
 
drivers/hid/hid-steelseries.c in the Human Interface Device (HID) subsystem
in the Linux kernel through 3.11, when CONFIG_HID_STEELSERIES is enabled,
allows physically proximate attackers to cause a denial of service
(heap-based out-of-bounds write) via a crafted device. (CVE-2013-2891)

drivers/hid/hid-pl.c in the Human Interface Device (HID) subsystem in
the Linux kernel through 3.11, when CONFIG_HID_PANTHERLORD is enabled,
allows physically proximate attackers to cause a denial of service
(heap-based out-of-bounds write) via a crafted device (CVE-2013-2892).

The Human Interface Device (HID) subsystem in the Linux kernel
through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or
CONFIG_LOGIWHEELS_FF is enabled, allows physically proximate
attackers to cause a denial of service (heap-based out-of-bounds
write) via a crafted device, related to (1) drivers/hid/hid-lgff.c,
(2) drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c
(CVE-2013-2893).

drivers/hid/hid-lenovo-tpkbd.c in the Human Interface Device (HID) subsystem
in the Linux kernel through 3.11, when CONFIG_HID_LENOVO_TPKBD is enabled,
allows physically proximate attackers to cause a denial of service
(heap-based out-of-bounds write) via a crafted device. (CVE-2013-2894)

drivers/hid/hid-logitech-dj.c in the Human Interface Device (HID)
subsystem in the Linux kernel through 3.11, when CONFIG_HID_LOGITECH_DJ
is enabled, allows physically proximate attackers to cause a denial
of service (NULL pointer dereference and OOPS) or obtain sensitive
information from kernel memory via a crafted device (CVE-2013-2895).

drivers/hid/hid-ntrig.c in the Human Interface Device (HID)
subsystem in the Linux kernel through 3.11, when CONFIG_HID_NTRIG
is enabled, allows physically proximate attackers to cause a denial
of service (NULL pointer dereference and OOPS) via a crafted device
(CVE-2013-2896).

Multiple array index errors in drivers/hid/hid-multitouch.c in the
Human Interface Device (HID) subsystem in the Linux kernel through
3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate
attackers to cause a denial of service (heap memory corruption, or NULL
pointer dereference and OOPS) via a crafted device (CVE-2013-2897).

drivers/hid/hid-sensor-hub.c in the Human Interface Device (HID) subsystem
in the Linux kernel through 3.11, when CONFIG_HID_SENSOR_HUB is enabled,
allows physically proximate attackers to obtain sensitive information from
kernel memory via a crafted device. (CVE-2013-2898)

drivers/hid/hid-picolcd_core.c in the Human Interface Device (HID)
subsystem in the Linux kernel through 3.11, when CONFIG_HID_PICOLCD
is enabled, allows physically proximate attackers to cause a denial
of service (NULL pointer dereference and OOPS) via a crafted device
(CVE-2013-2899).

The Linux kernel before 3.12.2 does not properly use the get_dumpable
function, which allows local users to bypass intended ptrace restrictions
or obtain sensitive information from IA64 scratch registers via a crafted application, related to kernel/ptrace.c and arch/ia64/include/asm/processor.h. 
(CVE-2013-2929)

The perf_trace_event_perm function in kernel/trace/trace_event_perf.c in the
Linux kernel before 3.12.2 does not properly restrict access to the perf
subsystem, which allows local users to enable function tracing via a crafted application. (CVE-2013-2930)

The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6
implementation in the Linux kernel through 3.10.3 makes an incorrect
function call for pending data, which allows local users to cause a
denial of service (BUG and system crash) via a crafted application that
uses the UDP_CORK option in a setsockopt system call (CVE-2013-4162).

The ip6_append_data_mtu function in net/ipv6/ip6_output.c in the IPv6
implementation in the Linux kernel through 3.10.3 does not properly
maintain information about whether the IPV6_MTU setsockopt option
had been specified, which allows local users to cause a denial of
service (BUG and system crash) via a crafted application that uses
the UDP_CORK option in a setsockopt system call (CVE-2013-4163).

The validate_event function in arch/arm/kernel/perf_event.c in the
Linux kernel before 3.10.8 on the ARM platform allows local users to
gain privileges or cause a denial of service (NULL pointer dereference
and system crash) by adding a hardware event to an event group led
by a software event (CVE-2013-4254)

Interpretation conflict in drivers/md/dm-snap-persistent.c in the Linux
kernel through 3.11.6 allows remote authenticated users to obtain sensitive information or modify data via a crafted mapping to a snapshot block device. (CVE-2013-4299)

The skb_flow_dissect function in net/core/flow_dissector.c in the
Linux kernel through 3.12 allows remote attackers to cause a denial
of service (infinite loop) via a small value in the IHL field of a
packet with IPIP encapsulation (CVE-2013-4348).
 
The IPv6 SCTP implementation in net/sctp/ipv6.c in the Linux kernel
through 3.11.1 uses data structures and function calls that do not
trigger an intended configuration of IPsec encryption, which allows
remote attackers to obtain sensitive information by sniffing the
network (CVE-2013-4350).

net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not
properly determine the need for UDP Fragmentation Offload (UFO)
processing of small packets after the UFO queueing of a large packet,
which allows remote attackers to cause a denial of service (memory
corruption and system crash) or possibly have unspecified other
impact via network traffic that triggers a large response packet
(CVE-2013-4387).

The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is
enabled, does not properly initialize certain data structures, which
allows local users to cause a denial of service (memory corruption and
system crash) or possibly gain privileges via a crafted application
that uses the UDP_CORK option in a setsockopt system call and
sends both short and long packets, related to the ip_ufo_append_data
function in net/ipv4/ip_output.c and the ip6_ufo_append_data function
in net/ipv6/ip6_output.c (CVE-2013-4470).

Buffer overflow in the oz_cdev_write function in
drivers/staging/ozwpan/ozcdev.c in the Linux kernel before 3.12 allows local
users to cause a denial of service or possibly have unspecified other impact
via a crafted write operation. (CVE-2013-4513)

Array index error in the kvm_vm_ioctl_create_vcpu function in 
virt/kvm/kvm_main.c in the KVM subsystem in the Linux kernel through 3.12.5
allows local users to gain privileges via a large id value. 
(CVE-2013-4587)

The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM subsystem in
the Linux kernel through 3.12.5 allows guest OS users to cause a denial of
service (divide-by-zero error and host OS crash) via crafted modifications
of the TMICT value. (CVE-2013-6367)

The KVM subsystem in the Linux kernel through 3.12.5 allows local users to
gain privileges or cause a denial of service (system crash) via a VAPIC synchronization operation involving a page-end address.  (CVE-2013-6368)

The recalculate_apic_map function in arch/x86/kvm/lapic.c in the KVM
subsystem  in the Linux kernel through 3.12.5 allows guest OS users to
cause a denial of service (host OS crash) via a crafted ICR write operation
in x2apic mode. (CVE-2013-6376)

The lbs_debugfs_write function in drivers/net/wireless/libertas/debugfs.c
in the Linux kernel through 3.12.1 allows local users to cause a denial of
service (OOPS) by leveraging root privileges for a zero-length write
operation. (CVE-2013-6378)

The aac_send_raw_srb function in drivers/scsi/aacraid/commctrl.c in the Linux
kernel through 3.12.1 does not properly validate a certain size value, which
allows local users to cause a denial of service (invalid pointer dereference)
or possibly have unspecified other impact via an FSACTL_SEND_RAW_SRB ioctl
call that triggers a crafted SRB command. (CVE-2013-6380)

Buffer overflow in the qeth_snmp_command function in 
drivers/s390/net/qeth_core_main.c in the Linux kernel through 3.12.1 allows
local users to cause a denial of service or possibly have unspecified other
impact via an  SNMP ioctl call with a length value that is incompatible with
the command-buffer size. (CVE-2013-6381)

Multiple buffer underflows in the XFS implementation in the Linux kernel
through 3.12.1 allow local users to cause a denial of service (memory
corruption) or possibly have unspecified other impact by leveraging the
CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2)
XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value,
related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c
and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c. (CVE-2013-6382)

The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux
kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which
allows local users to bypass intended access restrictions via a crafted ioctl
call. (CVE-2013-6383)

Other fixes:
- xfs: add capability check to free eofblocks ioctl (CVE pending)
- cpufreq: ondemand: Change the calculation of target frequency
- the vserver patch has been updated to vs2.3.6.8.

For other -stable fixes, read the referenced changelogs.

References:
http://kernelnewbies.org/Linux_3.9
http://kernelnewbies.org/Linux_3.10
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.1
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.2
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.3
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.4
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.5
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.6
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.7
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.8
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.9
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.10
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.11
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.12
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.13
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.14
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.15
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.16
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.17
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.18
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.19
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.20
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.21
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.22
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.23
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.24

Whiteboard: feedback => (none)

Dave Hodgins 2013-12-17 22:21:57 CET

Whiteboard: (none) => advisory

Dave Hodgins 2013-12-17 22:24:29 CET

Keywords: (none) => validated_update
Whiteboard: advisory => advisory MGA3-64-OK MGA3-32-OK

Comment 12 Thomas Backlund 2013-12-18 00:49:35 CET
Update pushed:
http://advisories.mageia.org/MGASA-2013-0375.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.