RHSA-2013:0744: Important: kernel security and bug fix update

First published: Tue Apr 23 2013(Updated: )

Security:<br><li> An integer overflow flaw, leading to a heap-based buffer overflow, was</li> found in the way the Intel i915 driver in the Linux kernel handled the<br>allocation of the buffer used for relocation copies. A local user with<br>console access could use this flaw to cause a denial of service or escalate<br>their privileges. (CVE-2013-0913, Important)<br><li> A buffer overflow flaw was found in the way UTF-8 characters were</li> converted to UTF-16 in the utf8s_to_utf16s() function of the Linux kernel's<br>FAT file system implementation. A local user able to mount a FAT file<br>system with the "utf8=1" option could use this flaw to crash the system or,<br>potentially, to escalate their privileges. (CVE-2013-1773, Important)<br><li> A flaw was found in the way KVM handled guest time updates when the</li> buffer the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine<br>state register (MSR) crossed a page boundary. A privileged guest user could<br>use this flaw to crash the host or, potentially, escalate their privileges,<br>allowing them to execute arbitrary code at the host kernel level.<br>(CVE-2013-1796, Important)<br><li> A potential use-after-free flaw was found in the way KVM handled guest</li> time updates when the GPA (guest physical address) the guest registered by<br>writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) fell into a<br>movable or removable memory region of the hosting user-space process (by<br>default, QEMU-KVM) on the host. If that memory region is deregistered from<br>KVM using KVM_SET_USER_MEMORY_REGION and the allocated virtual memory<br>reused, a privileged guest user could potentially use this flaw to<br>escalate their privileges on the host. (CVE-2013-1797, Important)<br><li> A flaw was found in the way KVM emulated IOAPIC (I/O Advanced</li> Programmable Interrupt Controller). A missing validation check in the<br>ioapic_read_indirect() function could allow a privileged guest user to<br>crash the host, or read a substantial portion of host kernel memory.<br>(CVE-2013-1798, Important)<br><li> A race condition in install_user_keyrings(), leading to a NULL pointer</li> dereference, was found in the key management facility. A local,<br>unprivileged user could use this flaw to cause a denial of service.<br>(CVE-2013-1792, Moderate)<br><li> A NULL pointer dereference in the XFRM implementation could allow a local</li> user who has the CAP_NET_ADMIN capability to cause a denial of service.<br>(CVE-2013-1826, Moderate)<br><li> A NULL pointer dereference in the Datagram Congestion Control Protocol</li> (DCCP) implementation could allow a local user to cause a denial of<br>service. (CVE-2013-1827, Moderate)<br><li> Information leak flaws in the XFRM implementation could allow a local</li> user who has the CAP_NET_ADMIN capability to leak kernel stack memory to<br>user-space. (CVE-2012-6537, Low)<br><li> Two information leak flaws in the Asynchronous Transfer Mode (ATM)</li> subsystem could allow a local, unprivileged user to leak kernel stack<br>memory to user-space. (CVE-2012-6546, Low)<br><li> An information leak was found in the TUN/TAP device driver in the</li> networking implementation. A local user with access to a TUN/TAP virtual<br>interface could use this flaw to leak kernel stack memory to user-space.<br>(CVE-2012-6547, Low)<br><li> An information leak in the Bluetooth implementation could allow a local</li> user who has the CAP_NET_ADMIN capability to leak kernel stack memory to<br>user-space. (CVE-2013-0349, Low)<br><li> A use-after-free flaw was found in the tmpfs implementation. A local user</li> able to mount and unmount a tmpfs file system could use this flaw to cause<br>a denial of service or, potentially, escalate their privileges.<br>(CVE-2013-1767, Low)<br><li> A NULL pointer dereference was found in the Linux kernel's USB Inside Out</li> Edgeport Serial Driver implementation. An attacker with physical access to<br>a system could use this flaw to cause a denial of service. (CVE-2013-1774,<br>Low)<br>Red Hat would like to thank Andrew Honig of Google for reporting<br>CVE-2013-1796, CVE-2013-1797, and CVE-2013-1798. CVE-2013-1792 was<br>discovered by Mateusz Guzik of Red Hat EMEA GSS SEG Team.<br>

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/softwarecombine
• agent/tags
• agent/title
• agent/type
• agent/weakness
• collector/redhat-errata
• anchor-id/RHSA-2013:0744
• package-manager/redhat