RHSA-2014:0557: Important: kernel-rt security update
First published: Tue May 27 2014(Updated: )
The kernel-rt packages contain the Linux kernel, the core of any Linux<br>operating system.<br><li> A race condition leading to a use-after-free flaw was found in the way</li> the Linux kernel's TCP/IP protocol suite implementation handled the<br>addition of fragments to the LRU (Last-Recently Used) list under certain<br>conditions. A remote attacker could use this flaw to crash the system or,<br>potentially, escalate their privileges on the system by sending a large<br>amount of specially crafted fragmented packets to that system.<br>(CVE-2014-0100, Important)<br><li> A race condition flaw, leading to heap-based buffer overflows, was found</li> in the way the Linux kernel's N_TTY line discipline (LDISC) implementation<br>handled concurrent processing of echo output and TTY write operations<br>originating from user space when the underlying TTY driver was PTY.<br>An unprivileged, local user could use this flaw to crash the system or,<br>potentially, escalate their privileges on the system. (CVE-2014-0196,<br>Important)<br><li> A flaw was found in the way the Linux kernel's floppy driver handled user</li> space provided data in certain error code paths while processing FDRAWCMD<br>IOCTL commands. A local user with write access to /dev/fdX could use this<br>flaw to free (using the kfree() function) arbitrary kernel memory.<br>(CVE-2014-1737, Important)<br><li> It was found that the Linux kernel's floppy driver leaked internal kernel</li> memory addresses to user space during the processing of the FDRAWCMD IOCTL<br>command. A local user with write access to /dev/fdX could use this flaw to<br>obtain information about the kernel heap arrangement. (CVE-2014-1738, Low)<br>Note: A local user with write access to /dev/fdX could use these two flaws<br>(CVE-2014-1737 in combination with CVE-2014-1738) to escalate their<br>privileges on the system.<br><li> A use-after-free flaw was found in the way the ping_init_sock() function</li> of the Linux kernel handled the group_info reference counter. A local,<br>unprivileged user could use this flaw to crash the system or, potentially,<br>escalate their privileges on the system. (CVE-2014-2851, Important)<br><li> It was found that a remote attacker could use a race condition flaw in</li> the ath_tx_aggr_sleep() function to crash the system by creating large<br>network traffic on the system's Atheros 9k wireless network adapter.<br>(CVE-2014-2672, Moderate)<br><li> A NULL pointer dereference flaw was found in the rds_iw_laddr_check()</li> function in the Linux kernel's implementation of Reliable Datagram Sockets<br>(RDS). A local, unprivileged user could use this flaw to crash the system.<br>(CVE-2014-2678, Moderate)<br><li> A race condition flaw was found in the way the Linux kernel's mac80211</li> subsystem implementation handled synchronization between TX and STA wake-up<br>code paths. A remote attacker could use this flaw to crash the system.<br>(CVE-2014-2706, Moderate)<br><li> It was found that the try_to_unmap_cluster() function in the Linux</li> kernel's Memory Managment subsystem did not properly handle page locking in<br>certain cases, which could potentially trigger the BUG_ON() macro in the<br>mlock_vma_page() function. A local, unprivileged user could use this flaw<br>to crash the system. (CVE-2014-3122, Moderate)<br>Red Hat would like to thank Matthew Daley for reporting CVE-2014-1737 and<br>CVE-2014-1738. The CVE-2014-0100 issue was discovered by Nikolay<br>Aleksandrov of Red Hat.<br>Users are advised to upgrade to these updated packages, which upgrade the<br>kernel-rt kernel to version kernel-rt-3.10.33-rt32.34 and correct these<br>issues. The system must be rebooted for this update to take effect.<br>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel-rt | <3.10.33-rt32.34.el6 | 3.10.33-rt32.34.el6 |
| redhat/kernel-rt-debug | <3.10.33-rt32.34.el6 | 3.10.33-rt32.34.el6 |
| redhat/kernel-rt-debug-debuginfo | <3.10.33-rt32.34.el6 | 3.10.33-rt32.34.el6 |
| redhat/kernel-rt-debug-devel | <3.10.33-rt32.34.el6 | 3.10.33-rt32.34.el6 |
| redhat/kernel-rt-debuginfo | <3.10.33-rt32.34.el6 | 3.10.33-rt32.34.el6 |
| redhat/kernel-rt-devel | <3.10.33-rt32.34.el6 | 3.10.33-rt32.34.el6 |
| redhat/kernel-rt-doc | <3.10.33-rt32.34.el6 | 3.10.33-rt32.34.el6 |
| redhat/kernel-rt-firmware | <3.10.33-rt32.34.el6 | 3.10.33-rt32.34.el6 |
| redhat/kernel-rt-trace | <3.10.33-rt32.34.el6 | 3.10.33-rt32.34.el6 |
| redhat/kernel-rt-trace-debuginfo | <3.10.33-rt32.34.el6 | 3.10.33-rt32.34.el6 |
| redhat/kernel-rt-trace-devel | <3.10.33-rt32.34.el6 | 3.10.33-rt32.34.el6 |
| redhat/kernel-rt-vanilla | <3.10.33-rt32.34.el6 | 3.10.33-rt32.34.el6 |
| redhat/kernel-rt-vanilla-debuginfo | <3.10.33-rt32.34.el6 | 3.10.33-rt32.34.el6 |
| redhat/kernel-rt-vanilla-devel | <3.10.33-rt32.34.el6 | 3.10.33-rt32.34.el6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1070618
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1083246
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1083274
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1083512
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1086730
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1093076
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1094232
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1094299
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/errata/RHSA-2014:0557 (Advisory)
- collector/redhat-errata
- anchor-id/RHSA-2014:0557
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- package-manager/redhat