Skip to navigation

Security Advisory Important: kernel-rt security and bug fix update

Advisory: RHSA-2012:1491-1
Type: Security Advisory
Severity: Important
Issued on: 2012-12-04
Last updated on: 2012-12-04
Affected Products: Red Hat Enterprise MRG v2 for Red Hat Enterprise Linux (version 6)
CVEs (cve.mitre.org): CVE-2012-0957
CVE-2012-2133
CVE-2012-3400
CVE-2012-3430
CVE-2012-3511
CVE-2012-3520
CVE-2012-4508
CVE-2012-4565

Details

Updated kernel-rt packages that fix several security issues and multiple
bugs are now available for Red Hat Enterprise MRG 2.2.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

The kernel-rt packages contain the Linux kernel, the core of any Linux
operating system.

This update fixes the following security issues:

* A flaw was found in the way Netlink messages without SCM_CREDENTIALS
(used for authentication) data set were handled. When not explicitly set,
the data was sent but with all values set to 0, including the process ID
and user ID, causing the Netlink message to appear as if it were sent with
root privileges. A local, unprivileged user could use this flaw to send
spoofed Netlink messages to an application, possibly resulting in the
application performing privileged operations if it relied on
SCM_CREDENTIALS data for the authentication of Netlink messages.
(CVE-2012-3520, Important)

* A race condition was found in the way asynchronous I/O and fallocate()
interacted when using the ext4 file system. A local, unprivileged user
could use this flaw to expose random data from an extent whose data blocks
have not yet been written, and thus contain data from a deleted file.
(CVE-2012-4508, Important)

* A use-after-free flaw was found in the Linux kernel's memory management
subsystem in the way quota handling for huge pages was performed. A local,
unprivileged user could use this flaw to cause a denial of service or,
potentially, escalate their privileges. (CVE-2012-2133, Moderate)

* A use-after-free flaw was found in the madvise() system call
implementation in the Linux kernel. A local, unprivileged user could use
this flaw to cause a denial of service or, potentially, escalate their
privileges. (CVE-2012-3511, Moderate)

* A divide-by-zero flaw was found in the TCP Illinois congestion control
algorithm implementation in the Linux kernel. If the TCP Illinois
congestion control algorithm were in use (the sysctl
net.ipv4.tcp_congestion_control variable set to "illinois"), a local,
unprivileged user could trigger this flaw and cause a denial of service.
(CVE-2012-4565, Moderate)

* An information leak flaw was found in the uname() system call
implementation in the Linux kernel. A local, unprivileged user could use
this flaw to leak kernel stack memory to user-space by setting the UNAME26
personality and then calling the uname() system call. (CVE-2012-0957, Low)

* Buffer overflow flaws were found in the udf_load_logicalvol() function in
the Universal Disk Format (UDF) file system implementation in the Linux
kernel. An attacker with physical access to a system could use these flaws
to cause a denial of service or escalate their privileges. (CVE-2012-3400,
Low)

* A flaw was found in the way the msg_namelen variable in the rds_recvmsg()
function of the Linux kernel's Reliable Datagram Sockets (RDS) protocol
implementation was initialized. A local, unprivileged user could use this
flaw to leak kernel stack memory to user-space. (CVE-2012-3430, Low)

Red Hat would like to thank Pablo Neira Ayuso for reporting CVE-2012-3520;
Theodore Ts'o for reporting CVE-2012-4508; Shachar Raindel for reporting
CVE-2012-2133; and Kees Cook for reporting CVE-2012-0957. Upstream
acknowledges Dmitry Monakhov as the original reporter of CVE-2012-4508. The
CVE-2012-4565 issue was discovered by Rodrigo Freire of Red Hat, and the
CVE-2012-3430 issue was discovered by the Red Hat InfiniBand team.

This update also fixes multiple bugs. Documentation for these changes will
be available shortly from the Technical Notes document linked to in the
References section.

Users should upgrade to these updated packages, which upgrade the kernel-rt
kernel to version kernel-rt-3.2.33-rt50, and correct these issues. The
system must be rebooted for this update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

To install kernel packages manually, use "rpm -ivh [package]". Do not
use "rpm -Uvh" as that will remove the running kernel binaries from
your system. You may use "rpm -e" to remove old kernels after
determining that the new kernel functions properly on your system.

Updated packages

Red Hat Enterprise MRG v2 for Red Hat Enterprise Linux (version 6)

SRPMS:
kernel-rt-3.2.33-rt50.66.el6rt.src.rpm
File outdated by:  RHBA-2014:0381
    MD5: 2edf12ec8958748de89718eecef74d2e
SHA-256: 81e0b74c896d18fc7bbff2de1537ef0b21e524640f37b4d86d81dbfbc4d95d97
 
x86_64:
kernel-rt-3.2.33-rt50.66.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: 94203e1e855d54337a848cab00471e36
SHA-256: e6ae4f9f76b7a7f5f8f254c0b883664c41fd5ca8ba5eb57126c96a0401068877
kernel-rt-debug-3.2.33-rt50.66.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: 93646f53f6135f7b02138246d152200c
SHA-256: 9ba9dddb5fff07ececb7725f20afa6671f618cf7a1d6d1e7947fc5bbc066ee3c
kernel-rt-debug-debuginfo-3.2.33-rt50.66.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: 3dcfee1fcae0efff86b9bf3cad72cb26
SHA-256: 01ceaff2f4d1f465d867db2901fa4dd82d35e58386d888ec3d8a993e18ce4878
kernel-rt-debug-devel-3.2.33-rt50.66.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: c3f4892a73bbc2fdf850870f9c71d4c5
SHA-256: c1c2ea8bc7dec588124a1944e16482c07762f72c4b4f20c2d0e9712524bfe06a
kernel-rt-debuginfo-3.2.33-rt50.66.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: b92f222a8ab9697317eeb472f6110e26
SHA-256: e2d420830ca25a8e4796f784f0df0494837249173782ac38a74f18220202b41a
kernel-rt-debuginfo-common-x86_64-3.2.33-rt50.66.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: 003f659ebc0c9a1cbc12d4b2e0e1a451
SHA-256: 9105e05e580d5439869c0a03a9447de5749797d3cb3054d2dcb93ce54a26e63f
kernel-rt-devel-3.2.33-rt50.66.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: 009a6f7fef69a24d366aa5dcc52418f2
SHA-256: 7d06ae9f3d99e115d579cdd9227e3757927274462d15dc74039c91cdbd138760
kernel-rt-doc-3.2.33-rt50.66.el6rt.noarch.rpm
File outdated by:  RHBA-2014:0381
    MD5: e71ac8ff5506ff8d821be4de0933f80d
SHA-256: 8edd30f0fc79e996832c01889bb0f6bbd4056edc78ddfc8790109b7d0f0d26ad
kernel-rt-firmware-3.2.33-rt50.66.el6rt.noarch.rpm
File outdated by:  RHBA-2014:0381
    MD5: 13a5e0db1b4202057d057213c13bc23e
SHA-256: 919d678ab02728b399c8f16a007803a2a1ab82b799b52cc7c7a8be623141e7d2
kernel-rt-trace-3.2.33-rt50.66.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: 734f99c181fb5821d5b2da86d809e1e4
SHA-256: 84fe9bf69c970163928be9ce851d61b1ab308ca3e31f6e3e2df43e2302334982
kernel-rt-trace-debuginfo-3.2.33-rt50.66.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: d937e7740f12bfac4d90692157105e2f
SHA-256: c22da36b53399d9e901d06fd68d56cf04ad9ab03b51fa2dfb4f06c95ef45d7ed
kernel-rt-trace-devel-3.2.33-rt50.66.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: 67499130d67fe074b3314cef4e9ba2c5
SHA-256: daf945bbfed7238579b1eb63321a81c45c62e3d3850714ffe54b89252813a56f
kernel-rt-vanilla-3.2.33-rt50.66.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: fe2327f1cb09c1874d7a048cc879ce64
SHA-256: 461048a87ef8c2c4a9ef94a6b33d81cea282a51c0a9fae1c6926edc8f881f3eb
kernel-rt-vanilla-debuginfo-3.2.33-rt50.66.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: 40c7e7ae72fceda74d5773458ab7e18e
SHA-256: ec745a1b47d716be4e0bab976c550261393378ff101e851b50ae76c50a798cff
kernel-rt-vanilla-devel-3.2.33-rt50.66.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: 35d11ad1c4fde35e283e43951ea841bc
SHA-256: 13a2cff48e37d79b6149388b1c4caa81e307b7bfd317e7b675d52f6bc95b8852
mrg-rt-release-3.2.33-rt50.66.el6rt.noarch.rpm
File outdated by:  RHSA-2013:1490
    MD5: 894638b36fe9ffa9554710a68828d168
SHA-256: a1809fb3af5d001fa977b8958b672f7b17bb3040b6a0cadff0cbe21effca6982
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

817430 - CVE-2012-2133 kernel: use after free bug in "quota" handling
820039 - CVE-2012-3430 kernel: recv{from,msg}() on an rds socket can leak kernel memory
843130 - RFE kernel: net: mitigate blind reset attacks using RST and SYN bits
843139 - CVE-2012-3400 kernel: udf: buffer overflow when parsing sparing table
849734 - CVE-2012-3511 kernel: mm: use-after-free in madvise_remove()
850449 - CVE-2012-3520 kernel: af_netlink: invalid handling of SCM_CREDENTIALS passing
856243 - kernel-rt-debug potential deadlock
859226 - iptables and other tools unable to log to rsyslog
862877 - CVE-2012-0957 kernel: uts: stack memory leak in UNAME26
864568 - Rebase MRG Realtime kernel to latest upstream 3.2 stable RT release
869904 - CVE-2012-4508 kernel: ext4: AIO vs fallocate stale data exposure
871848 - CVE-2012-4565 kernel: net: divide by zero in tcp algorithm illinois


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/