RHSA-2014:0285: Important: kernel security, bug fix, and enhancement update

First published: Wed Mar 12 2014(Updated: )

The kernel packages contain the Linux kernel, the core of any Linux<br>operating system.<br><li> A buffer overflow flaw was found in the way the qeth_snmp_command()</li> function in the Linux kernel's QETH network device driver implementation<br>handled SNMP IOCTL requests with an out-of-bounds length. A local,<br>unprivileged user could use this flaw to crash the system or, potentially,<br>escalate their privileges on the system. (CVE-2013-6381, Important)<br><li> A flaw was found in the way the ipc_rcu_putref() function in the Linux</li> kernel's IPC implementation handled reference counter decrementing.<br>A local, unprivileged user could use this flaw to trigger an Out of Memory<br>(OOM) condition and, potentially, crash the system. (CVE-2013-4483,<br>Moderate)<br><li> It was found that the Xen hypervisor implementation did not correctly</li> check privileges of hypercall attempts made by HVM guests, allowing<br>hypercalls to be invoked from protection rings 1 and 2 in addition to ring<br>0. A local attacker in an HVM guest able to execute code on privilege<br>levels 1 and 2 could potentially use this flaw to further escalate their<br>privileges in that guest. Note: Xen HVM guests running unmodified versions<br>of Red Hat Enterprise Linux and Microsoft Windows are not affected by this<br>issue because they are known to only use protection rings 0 (kernel) and 3<br>(userspace). (CVE-2013-4554, Moderate)<br><li> A flaw was found in the way the Linux kernel's Adaptec RAID controller</li> (aacraid) checked permissions of compat IOCTLs. A local attacker could use<br>this flaw to bypass intended security restrictions. (CVE-2013-6383,<br>Moderate)<br><li> It was found that, under specific circumstances, a combination of write</li> operations to write-combined memory and locked CPU instructions may cause a<br>core hang on certain AMD CPUs (for more information, refer to AMD CPU<br>erratum 793 linked in the References section). A privileged user in a guest<br>running under the Xen hypervisor could use this flaw to cause a denial of<br>service on the host system. This update adds a workaround to the Xen<br>hypervisor implementation, which mitigates the AMD CPU issue. Note: this<br>issue only affects AMD Family 16h Models 00h-0Fh Processors. Non-AMD CPUs<br>are not vulnerable. (CVE-2013-6885, Moderate)<br><li> It was found that certain protocol handlers in the Linux kernel's</li> networking implementation could set the addr_len value without initializing<br>the associated data structure. A local, unprivileged user could use this<br>flaw to leak kernel stack memory to user space using the recvmsg, recvfrom,<br>and recvmmsg system calls. (CVE-2013-7263, Low)<br><li> A flaw was found in the way the get_dumpable() function return value was</li> interpreted in the ptrace subsystem of the Linux kernel. When<br>'fs.suid_dumpable' was set to 2, a local, unprivileged local user could<br>use this flaw to bypass intended ptrace restrictions and obtain<br>potentially sensitive information. (CVE-2013-2929, Low)<br>Red Hat would like to thank Vladimir Davydov of Parallels for reporting<br>CVE-2013-4483 and the Xen project for reporting CVE-2013-4554 and<br>CVE-2013-6885. Upstream acknowledges Jan Beulich as the original reporter<br>of CVE-2013-4554 and CVE-2013-6885.<br>This update also fixes several bugs and adds one enhancement.<br>Documentation for these changes will be available shortly from the<br>Technical Notes document linked to in the References section.<br>All kernel users are advised to upgrade to these updated packages, which<br>contain backported patches to correct these issues and add this<br>enhancement. The system must be rebooted for this update to take effect.<br>

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/softwarecombine
• agent/tags
• agent/title
• agent/type
• agent/weakness
• collector/redhat-errata
• anchor-id/RHSA-2014:0285
• package-manager/redhat