{"id":"MGASA-2015-0077","summary":"Updated kernel-rt packages fix security vulnerabilities","details":"This kernel-rt update provides as upgrade to upstream 3.14 longterm branch,\ncurrently based on 3.14.32 and fixes the following security issues:\n\nThe microcode on AMD 16h 00h through 0Fh processors does not properly handle\nthe interaction between locked instructions and write-combined memory types,\nwhich allows local users to cause a denial of service (system hang) via a\ncrafted application, aka the errata 793 issue (CVE-2013-6885)\n\nArray index error in the aio_read_events_ring function in fs/aio.c in\nthe Linux kernel through 3.15.1 allows local users to obtain sensitive\ninformation from kernel memory via a large head value (CVE-2014-0206).\n\nmedia-device: fix infoleak in ioctl media_enum_entities()\n(CVE-2014-1739)\n\nThe futex_requeue function in kernel/futex.c in the Linux kernel through\n3.14.5 does not ensure that calls have two different futex addresses,\nwhich allows local users to gain privileges via a crafted FUTEX_REQUEUE\ncommand that facilitates unsafe waiter modification. (CVE-2014-3153)\n\nThe kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel\nthrough 3.16.1 miscalculates the number of pages during the handling of\na mapping failure, which allows guest OS users to (1) cause a denial of\nservice (host OS memory corruption) or possibly have unspecified other\nimpact by triggering a large gfn value or (2) cause a denial of service\n(host OS memory consumption) by triggering a small gfn value that leads\nto permanently pinned pages (CVE-2014-3601).\n\nThe WRMSR processing functionality in the KVM subsystem in the Linux\nkernel through 3.17.2 does not properly handle the writing of a non-\ncanonical address to a model-specific register, which allows guest OS\nusers to cause a denial of service (host OS crash) by leveraging guest\nOS privileges, related to the wrmsr_interception function in\narch/x86/kvm/svm.c and the handle_wrmsr function in arch/x86/kvm/vmx.c\n(CVE-2014-3610).\n\nRace condition in the __kvm_migrate_pit_timer function in\narch/x86/kvm/i8254.c in the KVM subsystem in the Linux kernel through\n3.17.2 allows guest OS users to cause a denial of service (host OS crash)\nby leveraging incorrect PIT emulation (CVE-2014-3611).\n\narch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel through 3.17.2\ndoes not have an exit handler for the INVVPID instruction, which allows\nguest OS users to cause a denial of service (guest OS crash) via a crafted\napplication (CVE-2014-3646).\n\narch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel through\n3.17.2 does not properly perform RIP changes, which allows guest OS users\nto cause a denial of service (guest OS crash) via a crafted application\n(CVE-2014-3647).\n\nkernel/auditsc.c in the Linux kernel through 3.14.5, when \nCONFIG_AUDITSYSCALL is enabled with certain syscall rules, allows local\nusers to obtain potentially sensitive single-bit values from kernel memory\nor cause a denial of service (OOPS) via a large value of a syscall number.\nTo avoid this and other issues CONFIG_AUDITSYSCALL has been disabled.\n(CVE-2014-3917)\n\nThe capabilities implementation in the Linux kernel before 3.14.8 does\nnot properly consider that namespaces are inapplicable to inodes, which\nallows local users to bypass intended chmod restrictions by first creating\na user namespace, as demonstrated by setting the setgid bit on a file with\ngroup ownership of root (CVE-2014-4014)\n\nmm/shmem.c in the Linux kernel through 3.15.1 does not properly implement\nthe interaction between range notification and hole punching, which allows\nlocal users to cause a denial of service (i_mutex hold) by using the mmap\nsystem call to access a hole, as demonstrated by interfering with intended\nshmem activity by blocking completion of (1) an MADV_REMOVE madvise call\nor (2) an FALLOC_FL_PUNCH_HOLE fallocate call (CVE-2014-4171).\n\narch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit\nx86 platforms, when syscall auditing is enabled and the sep CPU feature\nflag is set, allows local users to cause a denial of service (OOPS and\nsystem crash) via an invalid syscall number, as demonstrated by number\n1000 (CVE-2014-4508). \n\nA flaw was found in the way reference counting was handled in the Linux\nkernels VFS subsystem when unmount on symlink was performed. An unprivileged\nlocal user could use this flaw to cause OOM conditions leading to denial\nof service or, potentially, trigger use-after-free error (CVE-2014-5045).\n\nLinux kernel built with the support for Stream Control Transmission Protocol\n(CONFIG_IP_SCTP) is vulnerable to a NULL pointer dereference flaw. It could\noccur when simultaneous new connections are initiated between the same pair\nof hosts. A remote user/program could use this flaw to crash the system\nkernel resulting in DoS (CVE.2014-5077).\n\nThe pivot_root implementation in fs/namespace.c in the Linux kernel through\n3.17 does not properly interact with certain locations of a chroot directory,\nwhich allows local users to cause a denial of service (mount-tree loop) via\n. (dot) values in both arguments to the pivot_root system call\n(CVE-2014-7970).\n\narch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation in\nthe Linux kernel through 3.18.1 allows local users to bypass the espfix\nprotection mechanism, and consequently makes it easier for local users to\nbypass the ASLR protection mechanism, via a crafted application that makes\na set_thread_area system call and later reads a 16-bit value (CVE-2014-8133).\n\nThe paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel\nthrough 3.18 uses an improper paravirt_enabled setting for KVM guest kernels,\nwhich makes it easier for guest OS users to bypass the ASLR protection\nmechanism via a crafted application that reads a 16-bit value (CVE-2014-8134).\n\nThe Linux kernel through 3.17.4 does not properly restrict dropping of\nsupplemental group memberships in certain namespace scenarios, which allows\nlocal users to bypass intended file permissions by leveraging a POSIX ACL\ncontaining an entry for the group category that is more restrictive than\nthe entry for the other category, aka a \"negative groups\" issue, related to\nkernel/groups.c, kernel/uid16.c, and kernel/user_namespace.c (CVE-2014-8989).\n\narch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly\nhandle faults associated with the Stack Segment (SS) segment register, which\n allows local users to gain privileges by triggering an IRET instruction that\nleads to access to a GS Base address from the wrong space (CVE-2014-9322).\n\nOn x86_64 Linux kernels a malicious user program can do a partial ASLR\nbypass through TLS base addresses leak when attacking other programs\n(CVE-2014-9419).\n\nLinux kernel built with the iso9660 file system (CONFIG_ISO9660_FS) support\nis vulnerable to an infinite recursion loop flaw, which could lead to a\ncrash or render a system unresponsive/unusable after a while. This occurs\nwhile mounting an iso9660 image. An unprivileged user/process could use\nthis flaw to crash the system resulting in DoS (CVE-2014-9420).\n\nThe batadv_frag_merge_packets function in net/batman-adv/fragmentation.c in\nthe B.A.T.M.A.N. implementation in the Linux kernel through 3.18.1 uses an\nincorrect length field during a calculation of an amount of memory, which\nallows remote attackers to cause a denial of service (mesh-node system crash)\nvia fragmented packets (CVE-2014-9428).\n\nRace condition in the key_gc_unused_keys function in security/keys/gc.c\nin the Linux kernel through 3.18.2 allows local users to cause a denial\nof service (memory corruption or panic) or possibly have unspecified other\nimpact via keyctl commands that trigger access to a key structure member\nduring garbage collection of a key (CVE-2014-9529).\n\nThe parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux\nkernel before 3.18.2 does not validate a length value in the Extensions\nReference (ER) System Use Field, which allows local users to obtain sensitive\ninformation from kernel memory via a crafted iso9660 image (CVE-2014-9584).\n\nThe vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel through\n3.18.2 does not properly choose memory locations for the vDSO area, which\nmakes it easier for local users to bypass the ASLR protection mechanism by\nguessing a location at the end of a PMD (CVE-2014-9585).\n\nLinux Kernel 2.6.38 through 3.18 are affected by a flaw in the Crypto API\nthat allows any local user to load any installed kernel module on systems\nwhere CONFIG_CRYPTO_USER_API=y by abusing the request_module() call\n(CVE-2013-7421, CVE-2014-9644).\n\nWhen hitting an sctp INIT collision case during the 4WHS with AUTH enabled,\nit can create a local denial of service by triggering a panic on server side\n(CVE-2015-1421).\n\nIt was found that routing packets to too many different dsts/too fast can\nlead to a excessive resource consumption. A remote attacker can use this\nflaw to crash the system (CVE-2015-1465).\n\nThe -rt patch has been updated to -rt28.\n\nFor other fixes in this update, see the referenced changelogs.\n","modified":"2026-04-16T06:24:42.918265494Z","published":"2015-02-19T14:43:07Z","upstream":["CVE-2013-6885","CVE-2013-7421","CVE-2014-0206","CVE-2014-1739","CVE-2014-3153","CVE-2014-3601","CVE-2014-3610","CVE-2014-3611","CVE-2014-3646","CVE-2014-3647","CVE-2014-3917","CVE-2014-4014","CVE-2014-4171","CVE-2014-4508","CVE-2014-5045","CVE-2014-7970","CVE-2014-8133","CVE-2014-8134","CVE-2014-8989","CVE-2014-9322","CVE-2014-9419","CVE-2014-9420","CVE-2014-9428","CVE-2014-9529","CVE-2014-9584","CVE-2014-9585","CVE-2014-9644","CVE-2015-1421","CVE-2015-1465"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2015-0077.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=15224"},{"type":"WEB","url":"http://kernelnewbies.org/Linux_3.13"},{"type":"WEB","url":"http://kernelnewbies.org/Linux_3.14"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.1"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.2"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.3"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.4"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.5"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.6"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.7"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.8"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.9"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.10"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.11"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.12"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.13"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.14"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.15"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.16"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.17"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.18"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.19"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.20"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.21"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.22"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.23"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.24"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.25"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.26"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.27"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.28"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.29"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.30"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.31"},{"type":"WEB","url":"https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.32"}],"affected":[{"package":{"name":"kernel-rt","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/kernel-rt?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.14.32-0.rt28.1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2015-0077.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}