Skip to navigation

Security Advisory Important: kernel-rt security and bug fix update

Advisory: RHSA-2013:0829-1
Type: Security Advisory
Severity: Important
Issued on: 2013-05-20
Last updated on: 2013-05-20
Affected Products: Red Hat Enterprise MRG v2 for Red Hat Enterprise Linux (version 6)
CVEs (cve.mitre.org): CVE-2013-0913
CVE-2013-0914
CVE-2013-1767
CVE-2013-1774
CVE-2013-1792
CVE-2013-1819
CVE-2013-1848
CVE-2013-1860
CVE-2013-1929
CVE-2013-1979
CVE-2013-2094
CVE-2013-2546
CVE-2013-2547
CVE-2013-2548
CVE-2013-2634
CVE-2013-2635
CVE-2013-3076
CVE-2013-3222
CVE-2013-3224
CVE-2013-3225
CVE-2013-3231

Details

Updated kernel-rt packages that fix several security issues and multiple
bugs are now available for Red Hat Enterprise MRG 2.3.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Security fixes:

* It was found that the kernel-rt update RHBA-2012:0044 introduced an
integer conversion issue in the Linux kernel's Performance Events
implementation. This led to a user-supplied index into the
perf_swevent_enabled array not being validated properly, resulting in
out-of-bounds kernel memory access. A local, unprivileged user could use
this flaw to escalate their privileges. (CVE-2013-2094, Important)

A public exploit for CVE-2013-2094 that affects Red Hat Enterprise MRG 2 is
available. Refer to Red Hat Knowledge Solution 373743, linked to in the
References, for further information and mitigation instructions for users
who are unable to immediately apply this update.

* An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way the Intel i915 driver in the Linux kernel handled the
allocation of the buffer used for relocation copies. A local user with
console access could use this flaw to cause a denial of service or escalate
their privileges. (CVE-2013-0913, Important)

* It was found that the Linux kernel used effective user and group IDs
instead of real ones when passing messages with SCM_CREDENTIALS ancillary
data. A local, unprivileged user could leverage this flaw with a set user
ID (setuid) application, allowing them to escalate their privileges.
(CVE-2013-1979, Important)

* A race condition in install_user_keyrings(), leading to a NULL pointer
dereference, was found in the key management facility. A local,
unprivileged user could use this flaw to cause a denial of service.
(CVE-2013-1792, Moderate)

* A NULL pointer dereference flaw was found in the Linux kernel's XFS file
system implementation. A local user who is able to mount an XFS file
system could use this flaw to cause a denial of service. (CVE-2013-1819,
Moderate)

* An information leak was found in the Linux kernel's POSIX signals
implementation. A local, unprivileged user could use this flaw to bypass
the Address Space Layout Randomization (ASLR) security feature.
(CVE-2013-0914, Low)

* A use-after-free flaw was found in the tmpfs implementation. A local user
able to mount and unmount a tmpfs file system could use this flaw to cause
a denial of service or, potentially, escalate their privileges.
(CVE-2013-1767, Low)

* A NULL pointer dereference flaw was found in the Linux kernel's USB
Inside Out Edgeport Serial Driver implementation. A local user with
physical access to a system and with access to a USB device's tty file
could use this flaw to cause a denial of service. (CVE-2013-1774, Low)

* A format string flaw was found in the ext3_msg() function in the Linux
kernel's ext3 file system implementation. A local user who is able to
mount an ext3 file system could use this flaw to cause a denial of service
or, potentially, escalate their privileges. (CVE-2013-1848, Low)

* A heap-based buffer overflow flaw was found in the Linux kernel's
cdc-wdm driver, used for USB CDC WCM device management. An attacker with
physical access to a system could use this flaw to cause a denial of
service or, potentially, escalate their privileges. (CVE-2013-1860, Low)

* A heap-based buffer overflow in the way the tg3 Ethernet driver parsed
the vital product data (VPD) of devices could allow an attacker with
physical access to a system to cause a denial of service or, potentially,
escalate their privileges. (CVE-2013-1929, Low)

* Information leaks in the Linux kernel's cryptographic API could allow a
local user who has the CAP_NET_ADMIN capability to leak kernel stack memory
to user-space. (CVE-2013-2546, CVE-2013-2547, CVE-2013-2548, Low)

* Information leaks in the Linux kernel could allow a local, unprivileged
user to leak kernel stack memory to user-space. (CVE-2013-2634,
CVE-2013-2635, CVE-2013-3076, CVE-2013-3222, CVE-2013-3224, CVE-2013-3225,
CVE-2013-3231, Low)

Red Hat would like to thank Andy Lutomirski for reporting CVE-2013-1979.
CVE-2013-1792 was discovered by Mateusz Guzik of Red Hat EMEA GSS SEG Team.


Solution

This update also fixes multiple bugs. Documentation for these changes will
be available shortly from the Technical Notes document linked to in the
References section.

Users should upgrade to these updated packages, which upgrade the kernel-rt
kernel to version kernel-rt-3.6.11.2-rt33, correct these issues, and fix
the bugs noted in the Red Hat Enterprise MRG 2 Technical Notes. The system
must be rebooted for this update to take effect.

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

To install kernel packages manually, use "rpm -ivh [package]". Do not
use "rpm -Uvh" as that will remove the running kernel binaries from
your system. You may use "rpm -e" to remove old kernels after
determining that the new kernel functions properly on your system.

Updated packages

Red Hat Enterprise MRG v2 for Red Hat Enterprise Linux (version 6)

SRPMS:
kernel-rt-3.6.11.2-rt33.39.el6rt.src.rpm
File outdated by:  RHBA-2014:0381
    MD5: 778720866e2ad59b4e1f4dc700d40dac
SHA-256: cd31dd05fcec61e0a45cdcd81d7073c0854062d0b2237474e1da8426e8b84c33
 
x86_64:
kernel-rt-3.6.11.2-rt33.39.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: 3caf47b866dac76f036683c7b9bb1a0f
SHA-256: 65e49c793a0881b1fd848588f9049e0aba440a5025c4f35e0590f81988f80895
kernel-rt-debug-3.6.11.2-rt33.39.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: 216e362f6caa590b1a05c63bb02d2eaa
SHA-256: 7ad698f9e7bd12e9cf4b4928dd8c2b150d1beae8b0e51760ca80c3aebfb31937
kernel-rt-debug-debuginfo-3.6.11.2-rt33.39.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: 235da009699dfee717484140474cc052
SHA-256: 3f8e0914461a1b047cc68a3d1f61966a9e1c7b0a0b0e174a5883323a07a41e75
kernel-rt-debug-devel-3.6.11.2-rt33.39.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: db341a23692cf15c71dfd0f268490b39
SHA-256: 9075220032bd24289a2db97cd89a76f7d95f9ec3e7ffa60ecf2acb4b784be6d8
kernel-rt-debuginfo-3.6.11.2-rt33.39.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: cf01117bfe71956f22b59196a794c5bc
SHA-256: ca0250555e892ab8593f1a7686a905ffea06d9e6a382f865de1ec0fbd270fb35
kernel-rt-debuginfo-common-x86_64-3.6.11.2-rt33.39.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: be16d28abac356fa734322e437395cd6
SHA-256: 940b32fa4d85db5f4e24d65794ba81ff00fbeaddebdd1339a2b0a5d12faa72e2
kernel-rt-devel-3.6.11.2-rt33.39.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: f72f21443ed057458fce4a1a1d7b90f6
SHA-256: 627d0c5af14d6415932dfe54b8770b72690c68f4c0f8c4af5b21b7ff25a8ff62
kernel-rt-doc-3.6.11.2-rt33.39.el6rt.noarch.rpm
File outdated by:  RHBA-2014:0381
    MD5: 72a227b781a33e11e98c5ac038fb99be
SHA-256: ced20946b3aab4b3507f120d00ba201e44024c9450e35dabf49ede8a5950c22c
kernel-rt-firmware-3.6.11.2-rt33.39.el6rt.noarch.rpm
File outdated by:  RHBA-2014:0381
    MD5: def0ba5f50e0521432a8fa04a75e33d1
SHA-256: ebbceb22eebd0138c293aea3c1479b46e30b480009820b97043938e3424bb180
kernel-rt-trace-3.6.11.2-rt33.39.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: cf7367530d1000646f39db8a0f58bff8
SHA-256: 1bb944891683b3caba83aa725b9b8d6759a164ca10a075f270e510ff5b73db14
kernel-rt-trace-debuginfo-3.6.11.2-rt33.39.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: 42630ccf8f937f0fe3bbb781f61f654c
SHA-256: cfd70658b3c149d49bb4270cc888273b9f4dc6029857271a187bc76248cd3304
kernel-rt-trace-devel-3.6.11.2-rt33.39.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: 77f37549334095b1bf13c8e984ee483d
SHA-256: 1b224033e825e7f6772fc976a3257f205a958d83ae31273ccc42c17aeac92a32
kernel-rt-vanilla-3.6.11.2-rt33.39.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: db3b9c3d78137e63074defd98d384109
SHA-256: 15a0e21729f67eb754ffd9019137e7a85c01cd02149981611781c46d72f39e5f
kernel-rt-vanilla-debuginfo-3.6.11.2-rt33.39.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: 9ab730b881d872be316a7a02d9c29b19
SHA-256: 36aaf9a9fc32fadb9be047bc650071b8256fdb3a3a3b764b8b2f799c9d977fd3
kernel-rt-vanilla-devel-3.6.11.2-rt33.39.el6rt.x86_64.rpm
File outdated by:  RHBA-2014:0381
    MD5: 6e73c9c4097099cc08a6931b890a7e0f
SHA-256: 84ee9f85150f6d03b2920a74195240f3aff8a4f06515f50d3e91ebae2e30bedc
mrg-rt-release-3.6.11.2-rt33.39.el6rt.noarch.rpm
File outdated by:  RHSA-2013:1490
    MD5: 6b71c399a8da5510a3f8f75ad0b4f47b
SHA-256: de5c107fbe2ec5c7dae1d49e40c4ff6d8b2e784dc7d2aecc38d8012ffca64e49
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

915592 - CVE-2013-1767 Kernel: tmpfs: fix use-after-free of mempolicy object
916191 - CVE-2013-1774 Kernel: USB io_ti driver NULL pointer dereference in routine chase_port
916646 - CVE-2013-1792 Kernel: keys: race condition in install_user_keyrings()
918009 - CVE-2013-1819 kernel: xfs: _xfs_buf_find oops on blocks beyond the filesystem end
918098 - build id problem - needed for systemtap and perf annotations
918512 - kernel: crypto: info leaks in report API
920471 - CVE-2013-0913 Kernel: drm/i915: heap writing overflow
920499 - CVE-2013-0914 Kernel: sa_restorer information leak
920783 - CVE-2013-1848 kernel: ext3: format string issues
921970 - CVE-2013-1860 kernel: usb: cdc-wdm buffer overflow triggered by device
924689 - CVE-2013-2634 kernel: Information leak in the Data Center Bridging (DCB) component
924690 - CVE-2013-2635 kernel: Information leak in the RTNETLINK component
927026 - disable NO_HZ by default missing from v3.6-rt
949932 - CVE-2013-1929 Kernel: tg3: buffer overflow in VPD firmware parsing
955216 - CVE-2013-3222 Kernel: atm: update msg_namelen in vcc_recvmsg()
955599 - CVE-2013-3224 Kernel: Bluetooth: possible info leak in bt_sock_recvmsg()
955629 - CVE-2013-1979 kernel: net: incorrect SCM_CREDENTIALS passing
955649 - CVE-2013-3225 Kernel: Bluetooth: RFCOMM - missing msg_namelen update in rfcomm_sock_recvmsg
956094 - CVE-2013-3231 Kernel: llc: Fix missing msg_namelen update in llc_ui_recvmsg
956162 - CVE-2013-3076 Kernel: crypto: algif - suppress sending source address information in recvmsg
962792 - CVE-2013-2094 kernel: perf_swevent_enabled array out-of-bound access


References

https://www.redhat.com/security/data/cve/CVE-2013-0913.html
https://www.redhat.com/security/data/cve/CVE-2013-0914.html
https://www.redhat.com/security/data/cve/CVE-2013-1767.html
https://www.redhat.com/security/data/cve/CVE-2013-1774.html
https://www.redhat.com/security/data/cve/CVE-2013-1792.html
https://www.redhat.com/security/data/cve/CVE-2013-1819.html
https://www.redhat.com/security/data/cve/CVE-2013-1848.html
https://www.redhat.com/security/data/cve/CVE-2013-1860.html
https://www.redhat.com/security/data/cve/CVE-2013-1929.html
https://www.redhat.com/security/data/cve/CVE-2013-1979.html
https://www.redhat.com/security/data/cve/CVE-2013-2094.html
https://www.redhat.com/security/data/cve/CVE-2013-2546.html
https://www.redhat.com/security/data/cve/CVE-2013-2547.html
https://www.redhat.com/security/data/cve/CVE-2013-2548.html
https://www.redhat.com/security/data/cve/CVE-2013-2634.html
https://www.redhat.com/security/data/cve/CVE-2013-2635.html
https://www.redhat.com/security/data/cve/CVE-2013-3076.html
https://www.redhat.com/security/data/cve/CVE-2013-3222.html
https://www.redhat.com/security/data/cve/CVE-2013-3224.html
https://www.redhat.com/security/data/cve/CVE-2013-3225.html
https://www.redhat.com/security/data/cve/CVE-2013-3231.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/site/solutions/373743
https://rhn.redhat.com/errata/RHBA-2012-0044.html
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_MRG/2/html/Technical_Notes/RHSA-2013-0829.html


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/