The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel before 3.6 has an incorrect return value in certain circumstances, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that leverages an uninitialized pointer argument.

The SUSE Linux Enterprise Server 10 Service Pack 4 LTSS kernel has been updated to fix various security issues and several bugs.

The following security issues have been addressed :

CVE-2011-2492: The bluetooth subsystem in the Linux kernel before 3.0-rc4 does not properly initialize certain data structures, which allows local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c. (bnc#702014)

CVE-2011-2494: kernel/taskstats.c in the Linux kernel before 3.1 allows local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another user's password. (bnc#703156)

CVE-2012-6537: net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability.
(bnc#809889)

CVE-2012-6539: The dev_ifconf function in net/socket.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809891)

CVE-2012-6540: The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 3.6 does not initialize a certain structure for IP_VS_SO_GET_TIMEOUT commands, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809892)

CVE-2012-6541: The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809893)

CVE-2012-6542: The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel before 3.6 has an incorrect return value in certain circumstances, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that leverages an uninitialized pointer argument. (bnc#809894)

CVE-2012-6544: The Bluetooth protocol stack in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation. (bnc#809898)

CVE-2012-6545: The Bluetooth RFCOMM implementation in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application.
(bnc#809899)

CVE-2012-6546: The ATM implementation in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809900)

CVE-2012-6547: The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809901)

CVE-2012-6549: The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. (bnc#809903)

CVE-2013-0343: The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.8 does not properly handle problems with the generation of IPv6 temporary addresses, which allows remote attackers to cause a denial of service (excessive retries and address-generation outage), and consequently obtain sensitive information, via ICMPv6 Router Advertisement (RA) messages. (bnc#805226)

CVE-2013-0914: The flush_signal_handlers function in kernel/signal.c in the Linux kernel before 3.8.4 preserves the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call. (bnc#808827)

CVE-2013-1827: net/dccp/ccid.h in the Linux kernel before 3.5.4 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a certain (1) sender or (2) receiver getsockopt call.
(bnc#811354)

CVE-2013-2141: The do_tkill function in kernel/signal.c in the Linux kernel before 3.8.9 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call.
(bnc#823267)

CVE-2013-2164: The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive. (bnc#824295)

CVE-2013-2206: The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel before 3.8.5 does not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic. (bnc#826102)

CVE-2013-2232: The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface. (bnc#827750)

CVE-2013-2234: The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket.
(bnc#827749)

CVE-2013-2237: The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel before 3.9 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket. (bnc#828119)

CVE-2013-2888: Multiple array index errors in drivers/hid/hid-core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11 allow physically proximate attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted device that provides an invalid Report ID. (bnc#835839)

CVE-2013-2893: The Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device, related to (1) drivers/hid/hid-lgff.c, (2) drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c.
(bnc#835839)

CVE-2013-2897: Multiple array index errors in drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate attackers to cause a denial of service (heap memory corruption, or NULL pointer dereference and OOPS) via a crafted device. (bnc#835839)

CVE-2013-3222: The vcc_recvmsg function in net/atm/common.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668)

CVE-2013-3223: The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
(bnc#816668)

CVE-2013-3224: The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668)

CVE-2013-3228: The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
(bnc#816668)

CVE-2013-3229: The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
(bnc#816668)

CVE-2013-3231: The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
(bnc#816668)

CVE-2013-3232: The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
(bnc#816668)

CVE-2013-3234: The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
(bnc#816668)

CVE-2013-3235: net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure and a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668)

CVE-2013-4162: The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 implementation in the Linux kernel through 3.10.3 makes an incorrect function call for pending data, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call.
(bnc#831058)

CVE-2013-4387: net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not properly determine the need for UDP Fragmentation Offload (UFO) processing of small packets after the UFO queueing of a large packet, which allows remote attackers to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via network traffic that triggers a large response packet. (bnc#843430)

CVE-2013-4470: The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c.
(bnc#847672)

CVE-2013-4483: The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of service (memory consumption or system crash) via a crafted application. (bnc#848321)

CVE-2013-4588: Multiple stack-based buffer overflows in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 2.6.33, when CONFIG_IP_VS is used, allow local users to gain privileges by leveraging the CAP_NET_ADMIN capability for (1) a getsockopt system call, related to the do_ip_vs_get_ctl function, or (2) a setsockopt system call, related to the do_ip_vs_set_ctl function. (bnc#851095)

CVE-2013-6383: The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call. (bnc#852558)

CVE-2014-1444: The fst_get_iface function in drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call. (bnc#858869)

CVE-2014-1445: The wanxl_ioctl function in drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an ioctl call. (bnc#858870)

CVE-2014-1446: The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call. (bnc#858872)

Also the following non-security bugs have been fixed :

  - kernel: Remove newline from execve audit log     (bnc#827855).

  - kernel: sclp console hangs (bnc#830344, LTC#95711).

  - kernel: fix flush_tlb_kernel_range (bnc#825052,     LTC#94745). kernel: lost IPIs on CPU hotplug     (bnc#825052, LTC#94784).

    sctp: deal with multiple COOKIE_ECHO chunks     (bnc#826102).

  - net: Uninline kfree_skb and allow NULL argument     (bnc#853501).

  - netback: don't disconnect frontend when seeing oversize     packet. netfront: reduce gso_max_size to account for max     TCP header.

    fs/dcache: Avoid race in d_splice_alias and vfs_rmdir     (bnc#845028).

  - fs/proc: proc_task_lookup() fix memory pinning     (bnc#827362 bnc#849765).

  - blkdev_max_block: make private to fs/buffer.c     (bnc#820338).

  - vfs: avoid 'attempt to access beyond end of device'     warnings (bnc#820338).

  - vfs: fix O_DIRECT read past end of block device     (bnc#820338).

  - cifs: don't use CIFSGetSrvInodeNumber in     is_path_accessible (bnc#832603).

  - xfs: Fix kABI breakage caused by AIL list transformation     (bnc#806219).

  - xfs: Replace custom AIL linked-list code with struct     list_head (bnc#806219).

  - reiserfs: fix problems with chowning setuid file w/     xattrs (bnc#790920).

  - reiserfs: fix spurious multiple-fill in     reiserfs_readdir_dentry (bnc#822722). jbd: Fix forever     sleeping process in do_get_write_access() (bnc#827983).

    HID: check for NULL field when setting values     (bnc#835839).

  - HID: provide a helper for validating hid reports     (bnc#835839).

  - bcm43xx: netlink deadlock fix (bnc#850241).

  - bnx2: Close device if tx_timeout reset fails     (bnc#857597).

  - xfrm: invalidate dst on policy insertion/deletion     (bnc#842239).

  - xfrm: prevent ipcomp scratch buffer race condition     (bnc#842239).

  - lpfc: Update to 8.2.0.106 (bnc#798050).

  - Make lpfc task management timeout configurable     (bnc#798050).

  - dpt_i2o: Remove DPTI_STATE_IOCTL (bnc#798050).

  - dpt_i2o: return SCSI_MLQUEUE_HOST_BUSY when in reset     (bnc#798050).

  - advansys: Remove 'last_reset' references (bnc#798050).

  - tmscsim: Move 'last_reset' into host structure     (bnc#798050). dc395: Move 'last_reset' into internal     host structure (bnc#798050).

    scsi: remove check for 'resetting' (bnc#798050).

  - scsi: Allow error handling timeout to be specified     (bnc#798050).

  - scsi: Eliminate error handler overload of the SCSI     serial number (bnc#798050).

  - scsi: Reduce sequential pointer derefs in scsi_error.c     and reduce size as well (bnc#798050).

  - scsi: Reduce error recovery time by reducing use of TURs     (bnc#798050).

  - scsi: fix eh wakeup (scsi_schedule_eh vs     scsi_restart_operations)

  - scsi: cleanup setting task state in scsi_error_handler()     (bnc#798050).

  - scsi: Add 'eh_deadline' to limit SCSI EH runtime     (bnc#798050).

  - scsi: Fixup compilation warning (bnc#798050).

  - scsi: fc class: fix scanning when devs are offline     (bnc#798050).

  - scsi: Warn on invalid command completion (bnc#798050).

  - scsi: Retry failfast commands after EH (bnc#798050).

  - scsi: kABI fixes (bnc#798050).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise Server 10 SP3 LTSS kernel received a roll up update to fix lots of moderate security issues and several bugs.

The Following security issues have been fixed :

CVE-2012-4530: The load_script function in fs/binfmt_script.c in the Linux kernel did not properly handle recursion, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE-2011-2494: kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password.

CVE-2013-2234: The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel did not initialize certain structure members, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket.

CVE-2013-2237: The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket.

CVE-2013-2147: The HP Smart Array controller disk-array driver and Compaq SMART2 controller disk-array driver in the Linux kernel did not initialize certain data structures, which allowed local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device, related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c.

CVE-2013-2141: The do_tkill function in kernel/signal.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call.

CVE-2013-0160: The Linux kernel allowed local users to obtain sensitive information about keystroke timing by using the inotify API on the /dev/ptmx device.

CVE-2012-6537: net/xfrm/xfrm_user.c in the Linux kernel did not initialize certain structures, which allowed local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability.

CVE-2013-3222: The vcc_recvmsg function in net/atm/common.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3223: The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3224: The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel did not properly initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3228: The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3229: The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3231: The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3232: The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3234: The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3235: net/tipc/socket.c in the Linux kernel did not initialize a certain data structure and a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-1827: net/dccp/ccid.h in the Linux kernel allowed local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a certain (1) sender or (2) receiver getsockopt call.

CVE-2012-6549: The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory via a crafted application.

CVE-2012-6547: The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE-2012-6546: The ATM implementation in the Linux kernel did not initialize certain structures, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE-2012-6544: The Bluetooth protocol stack in the Linux kernel did not properly initialize certain structures, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation.

CVE-2012-6545: The Bluetooth RFCOMM implementation in the Linux kernel did not properly initialize certain structures, which allowed local users to obtain sensitive information from kernel memory via a crafted application.

CVE-2012-6542: The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel had an incorrect return value in certain circumstances, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application that leverages an uninitialized pointer argument.

CVE-2012-6541: The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE-2012-6540: The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel did not initialize a certain structure for IP_VS_SO_GET_TIMEOUT commands, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE-2013-0914: The flush_signal_handlers function in kernel/signal.c in the Linux kernel preserved the value of the sa_restorer field across an exec operation, which made it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call.

CVE-2011-2492: The bluetooth subsystem in the Linux kernel did not properly initialize certain data structures, which allowed local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c.

CVE-2013-2206: The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel did not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic.

CVE-2012-6539: The dev_ifconf function in net/socket.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE-2013-2232: The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel allowed local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface.

CVE-2013-2164: The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive.

CVE-2012-4444: The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel allowed remote attackers to bypass intended network restrictions via overlapping IPv6 fragments.

CVE-2013-1928: The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linux kernel on unspecified architectures lacked a certain error check, which might have allowed local users to obtain sensitive information from kernel stack memory via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a /dev/dvb device.

CVE-2013-0871: Race condition in the ptrace functionality in the Linux kernel allowed local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by ptrace_death.

CVE-2013-0268: The msr_open function in arch/x86/kernel/msr.c in the Linux kernel allowed local users to bypass intended capability restrictions by executing a crafted application as root, as demonstrated by msr32.c.

CVE-2012-3510: Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command.

CVE-2011-4110: The user_update function in security/keys/user_defined.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and 'updating a negative key into a fully instantiated key.'

CVE-2012-2136: The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel did not properly validate a certain length value, which allowed local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device.

CVE-2009-4020: Stack-based buffer overflow in the hfs subsystem in the Linux kernel allowed remote attackers to have an unspecified impact via a crafted Hierarchical File System (HFS) filesystem, related to the hfs_readdir function in fs/hfs/dir.c.

CVE-2011-2928: The befs_follow_link function in fs/befs/linuxvfs.c in the Linux kernel did not validate the length attribute of long symlinks, which allowed local users to cause a denial of service (incorrect pointer dereference and OOPS) by accessing a long symlink on a malformed Be filesystem.

CVE-2011-4077: Buffer overflow in the xfs_readlink function in fs/xfs/xfs_vnodeops.c in XFS in the Linux kernel, when CONFIG_XFS_DEBUG is disabled, allowed local users to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code via an XFS image containing a symbolic link with a long pathname.

CVE-2011-4324: The encode_share_access function in fs/nfs/nfs4xdr.c in the Linux kernel allowed local users to cause a denial of service (BUG and system crash) by using the mknod system call with a pathname on an NFSv4 filesystem.

CVE-2011-4330: Stack-based buffer overflow in the hfs_mac2asc function in fs/hfs/trans.c in the Linux kernel allowed local users to cause a denial of service (crash) and possibly execute arbitrary code via an HFS image with a crafted len field.

CVE-2011-1172: net/ipv6/netfilter/ip6_tables.c in the IPv6 implementation in the Linux kernel did not place the expected 0 character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.

CVE-2011-2525: The qdisc_notify function in net/sched/sch_api.c in the Linux kernel did not prevent tc_fill_qdisc function calls referencing builtin (aka CQ_F_BUILTIN) Qdisc structures, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a crafted call.

CVE-2011-2699: The IPv6 implementation in the Linux kernel did not generate Fragment Identification values separately for each destination, which made it easier for remote attackers to cause a denial of service (disrupted networking) by predicting these values and sending crafted packets.

CVE-2011-1171: net/ipv4/netfilter/ip_tables.c in the IPv4 implementation in the Linux kernel did not place the expected 0 character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.

CVE-2011-1170: net/ipv4/netfilter/arp_tables.c in the IPv4 implementation in the Linux kernel did not place the expected 0 character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.

CVE-2011-3209: The div_long_long_rem implementation in include/asm-x86/div64.h in the Linux kernel on the x86 platform allowed local users to cause a denial of service (Divide Error Fault and panic) via a clock_gettime system call.

CVE-2011-2213: The inet_diag_bc_audit function in net/ipv4/inet_diag.c in the Linux kernel did not properly audit INET_DIAG bytecode, which allowed local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message, as demonstrated by an INET_DIAG_BC_JMP instruction with a zero yes value, a different vulnerability than CVE-2010-3880.

CVE-2011-2534: Buffer overflow in the clusterip_proc_write function in net/ipv4/netfilter/ipt_CLUSTERIP.c in the Linux kernel might have allowed local users to cause a denial of service or have unspecified other impact via a crafted write operation, related to string data that lacks a terminating 0 character.

CVE-2011-2699: The IPv6 implementation in the Linux kernel did not generate Fragment Identification values separately for each destination, which made it easier for remote attackers to cause a denial of service (disrupted networking) by predicting these values and sending crafted packets.

CVE-2011-2203: The hfs_find_init function in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and Oops) by mounting an HFS file system with a malformed MDB extent record.

CVE-2009-4067: A USB string descriptor overflow in the auerwald USB driver was fixed, which could be used by physically proximate attackers to cause a kernel crash.

CVE-2011-3363: The setup_cifs_sb function in fs/cifs/connect.c in the Linux kernel did not properly handle DFS referrals, which allowed remote CIFS servers to cause a denial of service (system crash) by placing a referral at the root of a share.

CVE-2011-2484: The add_del_listener function in kernel/taskstats.c in the Linux kernel did not prevent multiple registrations of exit handlers, which allowed local users to cause a denial of service (memory and CPU consumption), and bypass the OOM Killer, via a crafted application.

CVE-2011-4132: The cleanup_journal_tail function in the Journaling Block Device (JBD) functionality in the Linux kernel allowed local users to cause a denial of service (assertion error and kernel oops) via an ext3 or ext4 image with an 'invalid log first block value.'

CVE-2010-4249: The wait_for_unix_gc function in net/unix/garbage.c in the Linux kernel before 2.6.37-rc3-next-20101125 does not properly select times for garbage collection of inflight sockets, which allows local users to cause a denial of service (system hang) via crafted use of the socketpair and sendmsg system calls for SOCK_SEQPACKET sockets.

The following bugs have been fixed :

patches.fixes/allow-executables-larger-than-2GB.patch: Allow executables larger than 2GB (bnc#836856).

cio: prevent kernel panic after unexpected I/O interrupt (bnc#649868,LTC#67975).

  - cio: Add timeouts for internal IO     (bnc#701550,LTC#72691). kernel: first time swap use     results in heavy swapping (bnc#701550,LTC#73132).

    qla2xxx: Do not be so verbose on underrun detected

    patches.arch/i386-run-tsc-calibration-5-times.patch: Fix     the patch, the logic was wrong (bnc#537165, bnc#826551).

    xfs: Do not reclaim new inodes in xfs_sync_inodes()     (bnc#770980 bnc#811752).

    kbuild: Fix gcc -x syntax (bnc#773831).

    e1000e: stop cleaning when we reach tx_ring->next_to_use     (bnc#762825).

    Fix race condition about network device name allocation     (bnc#747576).

    kdump: bootmem map over crash reserved region     (bnc#749168, bnc#722400, bnc#742881).

    tcp: fix race condition leading to premature termination     of sockets in FIN_WAIT2 state and connection being reset     (bnc#745760)

    tcp: drop SYN+FIN messages (bnc#765102).

    net/linkwatch: Handle jiffies wrap-around (bnc#740131).

    patches.fixes/vm-dirty-bytes: Provide     /proc/sys/vm/dirty_{background_,}bytes for tuning     (bnc#727597).

    ipmi: Fix deadlock in start_next_msg() (bnc#730749).

    cpu-hotplug: release workqueue_mutex properly on CPU     hot-remove (bnc#733407).

    libiscsi: handle init task failures (bnc#721351).

    NFS/sunrpc: do not use a credential with extra groups     (bnc#725878).

    x86_64: fix reboot hang when 'reboot=b' is passed to the     kernel (bnc#721267).

    nf_nat: do not add NAT extension for confirmed     conntracks (bnc#709213).

    xfs: fix memory reclaim recursion deadlock on locked     inode buffer (bnc#699355 bnc#699354 bnc#721830).

    ipmi: do not grab locks in run-to-completion mode     (bnc#717421).

    cciss: do not attempt to read from a write-only register     (bnc#683101).

    qla2xxx: Disable MSI-X initialization (bnc#693513).

    Allow balance_dirty_pages to help other filesystems     (bnc#709369).

  - nfs: fix congestion control (bnc#709369).

  - NFS: Separate metadata and page cache revalidation     mechanisms (bnc#709369). knfsd: nfsd4: fix laundromat     shutdown race (bnc#752556).

    x87: Do not synchronize TSCs across cores if they     already should be synchronized by HW (bnc#615418     bnc#609220).

    reiserfs: Fix int overflow while calculating free space     (bnc#795075).

    af_unix: limit recursion level (bnc#656153).

    bcm43xx: netlink deadlock fix (bnc#850241).

    jbd: Issue cache flush after checkpointing (bnc#731770).

    cfq: Fix infinite loop in cfq_preempt_queue()     (bnc#724692).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated kernel packages that fix multiple security issues, address several hundred bugs, and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 6. This is the fifth regular update.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A flaw was found in the way the Linux kernel's IPv6 implementation handled certain UDP packets when the UDP Fragmentation Offload (UFO) feature was enabled. A remote attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system.
(CVE-2013-4387, Important)

* A flaw was found in the way the Linux kernel handled the creation of temporary IPv6 addresses. If the IPv6 privacy extension was enabled (/proc/sys/net/ipv6/conf/eth0/use_tempaddr set to '2'), an attacker on the local network could disable IPv6 temporary address generation, leading to a potential information disclosure. (CVE-2013-0343, Moderate)

* A flaw was found in the way the Linux kernel handled HID (Human Interface Device) reports with an out-of-bounds Report ID. An attacker with physical access to the system could use this flaw to crash the system or, potentially, escalate their privileges on the system.
(CVE-2013-2888, Moderate)

* An off-by-one flaw was found in the way the ANSI CPRNG implementation in the Linux kernel processed non-block size aligned requests. This could lead to random numbers being generated with less bits of entropy than expected when ANSI CPRNG was used.
(CVE-2013-4345, Moderate)

* It was found that the fix for CVE-2012-2375 released via RHSA-2012:1580 accidentally removed a check for small-sized result buffers. A local, unprivileged user with access to an NFSv4 mount with ACL support could use this flaw to crash the system or, potentially, escalate their privileges on the system . (CVE-2013-4591, Moderate)

* A flaw was found in the way IOMMU memory mappings were handled when moving memory slots. A malicious user on a KVM host who has the ability to assign a device to a guest could use this flaw to crash the host. (CVE-2013-4592, Moderate)

* Heap-based buffer overflow flaws were found in the way the Zeroplus and Pantherlord/GreenAsia game controllers handled HID reports. An attacker with physical access to the system could use these flaws to crash the system or, potentially, escalate their privileges on the system. (CVE-2013-2889, CVE-2013-2892, Moderate)

* Two information leak flaws were found in the logical link control (LLC) implementation in the Linux kernel. A local, unprivileged user could use these flaws to leak kernel stack memory to user space.
(CVE-2012-6542, CVE-2013-3231, Low)

* A heap-based buffer overflow in the way the tg3 Ethernet driver parsed the vital product data (VPD) of devices could allow an attacker with physical access to a system to cause a denial of service or, potentially, escalate their privileges. (CVE-2013-1929, Low)

* Information leak flaws in the Linux kernel could allow a privileged, local user to leak kernel memory to user space. (CVE-2012-6545, CVE-2013-1928, CVE-2013-2164, CVE-2013-2234, Low)

* A format string flaw was found in the Linux kernel's block layer. A privileged, local user could potentially use this flaw to escalate their privileges to kernel level (ring0). (CVE-2013-2851, Low)

Red Hat would like to thank Stephan Mueller for reporting CVE-2013-4345, and Kees Cook for reporting CVE-2013-2851.

This update also fixes several hundred bugs and adds enhancements.
Refer to the Red Hat Enterprise Linux 6.5 Release Notes for information on the most significant of these changes, and the Technical Notes for further information, both linked to in the References.

All Red Hat Enterprise Linux 6 users are advised to install these updated packages, which correct these issues, and fix the bugs and add the enhancements noted in the Red Hat Enterprise Linux 6.5 Release Notes and Technical Notes. The system must be rebooted for this update to take effect.

This update fixes the following security issues :

  - A flaw was found in the way the Linux kernel's IPv6     implementation handled certain UDP packets when the UDP     Fragmentation Offload (UFO) feature was enabled. A     remote attacker could use this flaw to crash the system     or, potentially, escalate their privileges on the     system. (CVE-2013-4387, Important)

  - A flaw was found in the way the Linux kernel handled the     creation of temporary IPv6 addresses. If the IPv6     privacy extension was enabled     (/proc/sys/net/ipv6/conf/eth0/use_tempaddr set to '2'),     an attacker on the local network could disable IPv6     temporary address generation, leading to a potential     information disclosure. (CVE-2013-0343, Moderate)

  - A flaw was found in the way the Linux kernel handled HID     (Human Interface Device) reports with an out-of-bounds     Report ID. An attacker with physical access to the     system could use this flaw to crash the system or,     potentially, escalate their privileges on the system.
    (CVE-2013-2888, Moderate)

  - An off-by-one flaw was found in the way the ANSI CPRNG     implementation in the Linux kernel processed non-block     size aligned requests. This could lead to random numbers     being generated with less bits of entropy than expected     when ANSI CPRNG was used. (CVE-2013-4345, Moderate)

  - It was found that the fix for CVE-2012-2375 released via     SLSA-2012:1580 accidentally removed a check for     small-sized result buffers. A local, unprivileged user     with access to an NFSv4 mount with ACL support could use     this flaw to crash the system or, potentially, escalate     their privileges on the system . (CVE-2013-4591,     Moderate)

  - A flaw was found in the way IOMMU memory mappings were     handled when moving memory slots. A malicious user on a     KVM host who has the ability to assign a device to a     guest could use this flaw to crash the host.
    (CVE-2013-4592, Moderate)

  - Heap-based buffer overflow flaws were found in the way     the Zeroplus and Pantherlord/GreenAsia game controllers     handled HID reports. An attacker with physical access to     the system could use these flaws to crash the system or,     potentially, escalate their privileges on the system.
    (CVE-2013-2889, CVE-2013-2892, Moderate)

  - Two information leak flaws were found in the logical     link control (LLC) implementation in the Linux kernel. A     local, unprivileged user could use these flaws to leak     kernel stack memory to user space. (CVE-2012-6542,     CVE-2013-3231, Low)

  - A heap-based buffer overflow in the way the tg3 Ethernet     driver parsed the vital product data (VPD) of devices     could allow an attacker with physical access to a system     to cause a denial of service or, potentially, escalate     their privileges. (CVE-2013-1929, Low)

  - Information leak flaws in the Linux kernel could allow a     privileged, local user to leak kernel memory to user     space. (CVE-2012-6545, CVE-2013-1928, CVE-2013-2164,     CVE-2013-2234, Low)

  - A format string flaw was found in the Linux kernel's     block layer. A privileged, local user could potentially     use this flaw to escalate their privileges to kernel     level (ring0). (CVE-2013-2851, Low)

The system must be rebooted for this update to take effect.

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2013-1645 advisory.

    - [net] ipv6: udp packets following an UFO enqueued packet need also be handled by UFO (Jiri Pirko)     [1011930] {CVE-2013-4387}
    - [fs] compat_ioctl: VIDEO_SET_SPU_PALETTE missing error check (Phillip Lougher) [949573] {CVE-2013-1928}
    - [md] dm-snapshot: fix data corruption (Mikulas Patocka) [974481] {CVE-2013-4299}
    - [hid] pantherlord: heap overflow flaw (Radomir Vrbovsky) [1000435] {CVE-2013-2892}
    - [hid] zeroplus: validate output report details (Frantisek Hrbata) [999906] {CVE-2013-2889}
    - [hid] provide a helper for validating hid reports (Frantisek Hrbata) [999906] {CVE-2013-2889}
    - [crypto] ansi_cprng: Fix off by one error in non-block size request (Neil Horman) [1007694]     {CVE-2013-4345}
    - [bluetooth] rfcomm: Fix info leak in RFCOMMGETDEVLIST ioctl() (Radomir Vrbovsky) [922409]     {CVE-2012-6545}
    - [bluetooth] rfcomm: Fix info leak via getsockname() (Radomir Vrbovsky) [922409] {CVE-2012-6545}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2013-2534 advisory.

    - KVM: add missing void __user COPYING CREDITS Documentation Kbuild MAINTAINERS Makefile README REPORTING-     BUGS arch block crypto drivers firmware fs include init ipc kernel lib mm net samples scripts security     sound tools uek-rpm usr virt cast to access_ok() call (Heiko Carstens) [Orabug: 16941620] {CVE-2013-1943}
    - KVM: Validate userspace_addr of memslot when registered (Takuya Yoshikawa) [Orabug: 16941620]     {CVE-2013-1943}
    - tg3: fix length overflow in VPD firmware parsing (Kees Cook) [Orabug: 16837019] {CVE-2013-1929}
    - USB: cdc-wdm: fix buffer overflow (Oliver Neukum) [Orabug: 16837003] {CVE-2013-1860}
    - block: default SCSI command filter does not accomodate commands overlap across device classes (Jamie     Iles) [Orabug: 16387136] {CVE-2012-4542}
    - mm/hotplug: correctly add new zone to all other nodes' zone lists (Jiang Liu) [Orabug: 16603569]     {CVE-2012-5517}
    - ptrace: ptrace_resume() shouldn't wake up !TASK_TRACED thread (Oleg Nesterov) [Orabug: 16405868]     {CVE-2013-0871}
    - ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL (Oleg Nesterov) [Orabug: 16405868]     {CVE-2013-0871}
    - ptrace: introduce signal_wake_up_state() and ptrace_signal_wake_up() (Oleg Nesterov) [Orabug: 16405868]     {CVE-2013-0871}
    - Bluetooth: Fix incorrect strncpy() in hidp_setup_hid() (Anderson Lizardo) [Orabug: 16711062]     {CVE-2013-0349}
    - dccp: check ccid before dereferencing (Mathias Krause) [Orabug: 16711040] {CVE-2013-1827}
    - USB: io_ti: Fix NULL dereference in chase_port() (Wolfgang Frisch) [Orabug: 16425435] {CVE-2013-1774}
    - keys: fix race with concurrent install_user_keyrings() (David Howells) [Orabug: 16493369]     {CVE-2013-1792}
    - KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) (Andy Honig) [Orabug:
    16710937] {CVE-2013-1798}
    - KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) (Jerry Snitselaar)     [Orabug: 16710794] {CVE-2013-1796}
    - net/tun: fix ioctl() based info leaks (Mathias Krause) [Orabug: 16675501] {CVE-2012-6547}
    - atm: fix info leak via getsockname() (Mathias Krause) [Orabug: 16675501] {CVE-2012-6546}
    - atm: fix info leak in getsockopt(SO_ATMPVC) (Mathias Krause) [Orabug: 16675501] {CVE-2012-6546}
    - xfrm_user: fix info leak in copy_to_user_tmpl() (Mathias Krause) [Orabug: 16675501] {CVE-2012-6537}
    - xfrm_user: fix info leak in copy_to_user_policy() (Mathias Krause) [Orabug: 16675501] {CVE-2012-6537}
    - xfrm_user: fix info leak in copy_to_user_state() (Mathias Krause) [Orabug: 16675501] {CVE-2013-6537}
    - xfrm_user: return error pointer instead of NULL #2 (Mathias Krause) [Orabug: 16675501] {CVE-2013-1826}
    - xfrm_user: return error pointer instead of NULL (Mathias Krause) [Orabug: 16675501] {CVE-2013-1826}
    - llc: fix info leak via getsockname() (Mathias Krause) [Orabug: 16675501] {CVE-2012-6542}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2013-2525 advisory.

  - The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel before 3.6 has an incorrect return     value in certain circumstances, which allows local users to obtain sensitive information from kernel stack     memory via a crafted application that leverages an uninitialized pointer argument. (CVE-2012-6542)

  - Heap-based buffer overflow in the tg3_read_vpd function in drivers/net/ethernet/broadcom/tg3.c in the     Linux kernel before 3.8.6 allows physically proximate attackers to cause a denial of service (system     crash) or possibly execute arbitrary code via crafted firmware that specifies a long string in the Vital     Product Data (VPD) data structure. (CVE-2013-1929)

  - Heap-based buffer overflow in the wdm_in_callback function in drivers/usb/class/cdc-wdm.c in the Linux     kernel before 3.8.4 allows physically proximate attackers to cause a denial of service (system crash) or     possibly execute arbitrary code via a crafted cdc-wdm USB device. (CVE-2013-1860)

  - fs/ext3/super.c in the Linux kernel before 3.8.4 uses incorrect arguments to functions in certain     circumstances related to printk input, which allows local users to conduct format-string attacks and     possibly gain privileges via a crafted application. (CVE-2013-1848)

  - The scm_set_cred function in include/net/scm.h in the Linux kernel before 3.8.11 uses incorrect uid and     gid values during credentials passing, which allows local users to gain privileges via a crafted     application. (CVE-2013-1979)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2013-0747 advisory.

    - [virt] xen-netback: backports (Andrew Jones) [910884 910885] {CVE-2013-0216}
    - [virt] xen-netback: netif_schedulable should take a netif (Andrew Jones) [910884 910885] {CVE-2013-0216}
    - [virt] pciback: rate limit error mess from pciback_enable_msi() (Igor Mammedov) [910876 910877]     {CVE-2013-0231}
    - [net] xfrm_user: fix info leak in copy_to_user_state() (Thomas Graf) [922426 922427] {CVE-2012-6537}
    - [net] xfrm_user: fix info leak in copy_to_user_policy() (Thomas Graf) [922426 922427] {CVE-2012-6537}
    - [net] xfrm_user: fix info leak in copy_to_user_tmpl() (Thomas Graf) [922426 922427] {CVE-2012-6537}
    - [net] atm: fix info leak in getsockopt(SO_ATMPVC) (Thomas Graf) [922384 922385] {CVE-2012-6546}
    - [net] atm: fix info leak via getsockname() (Thomas Graf) [922384 922385] {CVE-2012-6546}
    - [net] tun: fix ioctl() based info leaks (Thomas Graf) [922348 922349] {CVE-2012-6547}
    - [net] llc, zero sockaddr_llc struct (Thomas Graf) [922327 922329] {CVE-2012-6542}
    - [net] llc: fix info leak via getsockname() (Thomas Graf) [922327 922329] {CVE-2012-6542}
    - [net] xfrm_user: return error pointer instead of NULL (Thomas Graf) [919386 919387] {CVE-2013-1826}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

From Red Hat Security Advisory 2013:0747 :

Updated kernel packages that fix several security issues and three bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A flaw was found in the Xen netback driver implementation in the Linux kernel. A privileged guest user with access to a para-virtualized network device could use this flaw to cause a long loop in netback, leading to a denial of service that could potentially affect the entire system. (CVE-2013-0216, Moderate)

* A flaw was found in the Xen PCI device back-end driver implementation in the Linux kernel. A privileged guest user in a guest that has a PCI passthrough device could use this flaw to cause a denial of service that could potentially affect the entire system.
(CVE-2013-0231, Moderate)

* A NULL pointer dereference flaw was found in the IP packet transformation framework (XFRM) implementation in the Linux kernel. A local user who has the CAP_NET_ADMIN capability could use this flaw to cause a denial of service. (CVE-2013-1826, Moderate)

* Information leak flaws were found in the XFRM implementation in the Linux kernel. A local user who has the CAP_NET_ADMIN capability could use these flaws to leak kernel stack memory to user-space.
(CVE-2012-6537, Low)

* An information leak flaw was found in the logical link control (LLC) implementation in the Linux kernel. A local, unprivileged user could use this flaw to leak kernel stack memory to user-space.
(CVE-2012-6542, Low)

* Two information leak flaws were found in the Linux kernel's Asynchronous Transfer Mode (ATM) subsystem. A local, unprivileged user could use these flaws to leak kernel stack memory to user-space.
(CVE-2012-6546, Low)

* An information leak flaw was found in the TUN/TAP device driver in the Linux kernel's networking implementation. A local user with access to a TUN/TAP virtual interface could use this flaw to leak kernel stack memory to user-space. (CVE-2012-6547, Low)

Red Hat would like to thank the Xen project for reporting the CVE-2013-0216 and CVE-2013-0231 issues.

This update also fixes the following bugs :

* The IPv4 code did not correctly update the Maximum Transfer Unit (MTU) of the designed interface when receiving ICMP Fragmentation Needed packets. Consequently, a remote host did not respond correctly to ping attempts. With this update, the IPv4 code has been modified so the MTU of the designed interface is adjusted as expected in this situation. The ping command now provides the expected output.
(BZ#923353)

* Previously, the be2net code expected the last word of an MCC completion message from the firmware to be transferred by direct memory access (DMA) at once. However, this is not always true, and could therefore cause the BUG_ON() macro to be triggered in the be_mcc_compl_is_new() function, consequently leading to a kernel panic. The BUG_ON() macro has been removed from be_mcc_compl_is_new(), and the kernel panic no longer occurs in this scenario. (BZ#923910)

* Previously, the NFSv3 server incorrectly converted 64-bit cookies to 32-bit. Consequently, the cookies became invalid, which affected all file system operations depending on these cookies, such as the READDIR operation that is used to read entries from a directory. This led to various problems, such as exported directories being empty or displayed incorrectly, or an endless loop of the READDIRPLUS procedure which could potentially cause a buffer overflow. This update modifies knfsd code so that 64-bit cookies are now handled correctly and all file system operations work as expected. (BZ#924087)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2012-2121     Benjamin Herrenschmidt and Jason Baron discovered issues     with the IOMMU mapping of memory slots used in KVM     device assignment. Local users with the ability to     assign devices could cause a denial of service due to a     memory page leak.

  - CVE-2012-3552     Hafid Lin reported an issue in the IP networking     subsystem. A remote user can cause a denial of service     (system crash) on servers running applications that set     options on sockets which are actively being processed.

  - CVE-2012-4461     Jon Howell reported a denial of service issue in the KVM     subsystem. On systems that do not support the XSAVE     feature, local users with access to the /dev/kvm     interface can cause a system crash.

  - CVE-2012-4508     Dmitry Monakhov and Theodore Ts'o reported a race     condition in the ext4 filesystem. Local users could gain     access to sensitive kernel memory.

  - CVE-2012-6537     Mathias Krause discovered information leak issues in the     Transformation user configuration interface. Local users     with the CAP_NET_ADMIN capability can gain access to     sensitive kernel memory.

  - CVE-2012-6539     Mathias Krause discovered an issue in the networking     subsystem. Local users on 64-bit systems can gain access     to sensitive kernel memory.

  - CVE-2012-6540     Mathias Krause discovered an issue in the Linux virtual     server subsystem. Local users can gain access to     sensitive kernel memory. Note: this issue does not     affect Debian provided kernels, but may affect custom     kernels built from Debian's linux-source-2.6.32 package.

  - CVE-2012-6542     Mathias Krause discovered an issue in the LLC protocol     support code. Local users can gain access to sensitive     kernel memory.

  - CVE-2012-6544     Mathias Krause discovered issues in the Bluetooth     subsystem. Local users can gain access to sensitive     kernel memory.

  - CVE-2012-6545     Mathias Krause discovered issues in the Bluetooth RFCOMM     protocol support. Local users can gain access to     sensitive kernel memory.

  - CVE-2012-6546     Mathias Krause discovered issues in the ATM networking     support. Local users can gain access to sensitive kernel     memory.

  - CVE-2012-6548     Mathias Krause discovered an issue in the UDF file     system support. Local users can obtain access to     sensitive kernel memory.

  - CVE-2012-6549     Mathias Krause discovered an issue in the isofs file     system support. Local users can obtain access to     sensitive kernel memory.

  - CVE-2013-0349     Anderson Lizardo discovered an issue in the Bluetooth     Human Interface Device Protocol (HIDP) stack. Local     users can obtain access to sensitive kernel memory.

  - CVE-2013-0914     Emese Revfy discovered an issue in the signal     implementation. Local users may be able to bypass the     address space layout randomization (ASLR) facility due     to a leaking of information to child processes.

  - CVE-2013-1767     Greg Thelen reported an issue in the tmpfs virtual     memory filesystem. Local users with sufficient privilege     to mount filesystems can cause a denial of service or     possibly elevated privileges due to a use-after free     defect.

  - CVE-2013-1773     Alan Stern provided a fix for a defect in the     UTF8->UTF16 string conversion facility used by the VFAT     filesystem. A local user could cause a buffer overflow     condition, resulting in a denial of service or     potentially elevated privileges.

  - CVE-2013-1774     Wolfgang Frisch provided a fix for a NULL pointer     dereference defect in the driver for some serial USB     devices from Inside Out Networks. Local users with     permission to access these devices can create a denial     of service (kernel oops) by causing the device to be     removed while it is in use.

  - CVE-2013-1792     Mateusz Guzik of Red Hat EMEA GSS SEG Team discovered a     race condition in the access key retention support in     the kernel. A local user could cause a denial of service     (NULL pointer dereference).

  - CVE-2013-1796     Andrew Honig of Google reported an issue in the KVM     subsystem. A user in a guest operating system could     corrupt kernel memory, resulting in a denial of service.

  - CVE-2013-1798     Andrew Honig of Google reported an issue in the KVM     subsystem. A user in a guest operating system could     cause a denial of service due to a use after-free     defect.

  - CVE-2013-1826     Mathias Krause discovered an issue in the Transformation     (XFRM) user configuration interface of the networking     stack. A user with the CAP_NET_ADMIN capability may be     able to gain elevated privileges.

  - CVE-2013-1860     Oliver Neukum discovered an issue in the USB CDC WCM     Device Management driver. Local users with the ability     to attach devices can cause a denial of service (kernel     crash) or potentially gain elevated privileges.

  - CVE-2013-1928     Kees Cook provided a fix for an information leak in the     VIDEO_SET_SPU_PALETTE ioctl for 32-bit applications     running on a 64-bit kernel. Local users can gain access     to sensitive kernel memory.

  - CVE-2013-1929     Oded Horovitz and Brad Spengler reported an issue in the     device driver for Broadcom Tigon3 based gigabit     Ethernet. Users with the ability to attach untrusted     devices can create an overflow condition, resulting in a     denial of service or elevated privileges.

  - CVE-2013-2015     Theodore Ts'o provided a fix for an issue in the ext4     filesystem. Local users with the ability to mount a     specially crafted filesystem can cause a denial of     service (infinite loop).

  - CVE-2013-2634     Mathias Krause discovered a few issues in the Data     Center Bridging (DCB) netlink interface. Local users can     gain access to sensitive kernel memory.

  - CVE-2013-3222     Mathias Krause discovered an issue in the Asynchronous     Transfer Mode (ATM) protocol support. Local users can     gain access to sensitive kernel memory.

  - CVE-2013-3223     Mathias Krause discovered an issue in the Amateur Radio     AX.25 protocol support. Local users can gain access to     sensitive kernel memory.

  - CVE-2013-3224     Mathias Krause discovered an issue in the Bluetooth     subsystem. Local users can gain access to sensitive     kernel memory.

  - CVE-2013-3225     Mathias Krause discovered an issue in the Bluetooth     RFCOMM protocol support. Local users can gain access to     sensitive kernel memory.

  - CVE-2013-3228     Mathias Krause discovered an issue in the IrDA     (infrared) subsystem support. Local users can gain     access to sensitive kernel memory.

  - CVE-2013-3229     Mathias Krause discovered an issue in the IUCV support     on s390 systems. Local users can gain access to     sensitive kernel memory.

  - CVE-2013-3231     Mathias Krause discovered an issue in the ANSI/IEEE     802.2 LLC type 2 protocol support. Local users can gain     access to sensitive kernel memory.

  - CVE-2013-3234     Mathias Krause discovered an issue in the Amateur Radio     X.25 PLP (Rose) protocol support. Local users can gain     access to sensitive kernel memory.

  - CVE-2013-3235     Mathias Krause discovered an issue in the Transparent     Inter Process Communication (TIPC) protocol support.
    Local users can gain access to sensitive kernel memory.

Mathias Krause discovered an information leak in the Linux kernel's getsockname implementation for Logical Link Layer (llc) sockets. A local user could exploit this flaw to examine some of the kernel's stack memory. (CVE-2012-6542)

Mathias Krause discovered information leaks in the Linux kernel's Bluetooth Logical Link Control and Adaptation Protocol (L2CAP) implementation. A local user could exploit these flaws to examine some of the kernel's stack memory. (CVE-2012-6544)

Mathias Krause discovered information leaks in the Linux kernel's Bluetooth RFCOMM protocol implementation. A local user could exploit these flaws to examine parts of kernel memory. (CVE-2012-6545)

Mathias Krause discovered information leaks in the Linux kernel's Asynchronous Transfer Mode (ATM) networking stack. A local user could exploit these flaws to examine some parts of kernel memory.
(CVE-2012-6546)

Mathias Krause discovered an information leak in the Linux kernel's UDF file system implementation. A local user could exploit this flaw to examine some of the kernel's heap memory. (CVE-2012-6548)

Andrew Jones discovered a flaw with the xen_iret function in Linux kernel's Xen virtualizeation. In the 32-bit Xen paravirt platform an unprivileged guest OS user could exploit this flaw to cause a denial of service (crash the system) or gain guest OS privilege.
(CVE-2013-0228)

An information leak was discovered in the Linux kernel's Bluetooth stack when HIDP (Human Interface Device Protocol) support is enabled.
A local unprivileged user could exploit this flaw to cause an information leak from the kernel. (CVE-2013-0349)

A flaw was discovered in the Edgeort USB serial converter driver when the device is disconnected while it is in use. A local user could exploit this flaw to cause a denial of service (system crash).
(CVE-2013-1774)

Andrew Honig discovered a flaw in guest OS time updates in the Linux kernel's KVM (Kernel-based Virtual Machine). A privileged guest user could exploit this flaw to cause a denial of service (crash host system) or potential escalate privilege to the host kernel level.
(CVE-2013-1796).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes the following security issues :

  - A flaw was found in the Xen netback driver     implementation in the Linux kernel. A privileged guest     user with access to a para-virtualized network device     could use this flaw to cause a long loop in netback,     leading to a denial of service that could potentially     affect the entire system. (CVE-2013-0216, Moderate)

  - A flaw was found in the Xen PCI device back-end driver     implementation in the Linux kernel. A privileged guest     user in a guest that has a PCI passthrough device could     use this flaw to cause a denial of service that could     potentially affect the entire system. (CVE-2013-0231,     Moderate)

  - A NULL pointer dereference flaw was found in the IP     packet transformation framework (XFRM) implementation in     the Linux kernel. A local user who has the CAP_NET_ADMIN     capability could use this flaw to cause a denial of     service. (CVE-2013-1826, Moderate)

  - Information leak flaws were found in the XFRM     implementation in the Linux kernel. A local user who has     the CAP_NET_ADMIN capability could use these flaws to     leak kernel stack memory to user-space. (CVE-2012-6537,     Low)

  - An information leak flaw was found in the logical link     control (LLC) implementation in the Linux kernel. A     local, unprivileged user could use this flaw to leak     kernel stack memory to user-space. (CVE-2012-6542, Low)

  - Two information leak flaws were found in the Linux     kernel's Asynchronous Transfer Mode (ATM) subsystem. A     local, unprivileged user could use these flaws to leak     kernel stack memory to user-space. (CVE-2012-6546, Low)

  - An information leak flaw was found in the TUN/TAP device     driver in the Linux kernel's networking implementation.
    A local user with access to a TUN/TAP virtual interface     could use this flaw to leak kernel stack memory to     user-space. (CVE-2012-6547, Low)

This update also fixes the following bugs :

  - The IPv4 code did not correctly update the Maximum     Transfer Unit (MTU) of the designed interface when     receiving ICMP Fragmentation Needed packets.
    Consequently, a remote host did not respond correctly to     ping attempts. With this update, the IPv4 code has been     modified so the MTU of the designed interface is     adjusted as expected in this situation. The ping command     now provides the expected output.

  - Previously, the be2net code expected the last word of an     MCC completion message from the firmware to be     transferred by direct memory access (DMA) at once.
    However, this is not always true, and could therefore     cause the BUG_ON() macro to be triggered in the     be_mcc_compl_is_new() function, consequently leading to     a kernel panic. The BUG_ON() macro has been removed from     be_mcc_compl_is_new(), and the kernel panic no longer     occurs in this scenario.

  - Previously, the NFSv3 server incorrectly converted     64-bit cookies to 32-bit. Consequently, the cookies     became invalid, which affected all file system     operations depending on these cookies, such as the     READDIR operation that is used to read entries from a     directory. This led to various problems, such as     exported directories being empty or displayed     incorrectly, or an endless loop of the READDIRPLUS     procedure which could potentially cause a buffer     overflow. This update modifies knfsd code so that 64-bit     cookies are now handled correctly and all file system     operations work as expected.

The system must be rebooted for this update to take effect.

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2013:0747 advisory.

  - Kernel: xfrm_user information leaks copy_to_user_ (CVE-2012-6537)

  - Kernel: llc: information leak via getsockname (CVE-2012-6542)

  - Kernel: atm: information leak in getsockopt & getsockname (CVE-2012-6546)

  - Kernel: net/tun: ioctl() based information leaks (CVE-2012-6547)

  - kernel: xen: Linux netback DoS via malicious guest ring. (CVE-2013-0216)

  - kernel: xen: pciback DoS via not rate limited log messages (CVE-2013-0231)

  - Kernel: xfrm_user: return error pointer instead of NULL (CVE-2013-1826)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Updated kernel packages that fix several security issues and three bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A flaw was found in the Xen netback driver implementation in the Linux kernel. A privileged guest user with access to a para-virtualized network device could use this flaw to cause a long loop in netback, leading to a denial of service that could potentially affect the entire system. (CVE-2013-0216, Moderate)

* A flaw was found in the Xen PCI device back-end driver implementation in the Linux kernel. A privileged guest user in a guest that has a PCI passthrough device could use this flaw to cause a denial of service that could potentially affect the entire system.
(CVE-2013-0231, Moderate)

* A NULL pointer dereference flaw was found in the IP packet transformation framework (XFRM) implementation in the Linux kernel. A local user who has the CAP_NET_ADMIN capability could use this flaw to cause a denial of service. (CVE-2013-1826, Moderate)

* Information leak flaws were found in the XFRM implementation in the Linux kernel. A local user who has the CAP_NET_ADMIN capability could use these flaws to leak kernel stack memory to user-space.
(CVE-2012-6537, Low)

* An information leak flaw was found in the logical link control (LLC) implementation in the Linux kernel. A local, unprivileged user could use this flaw to leak kernel stack memory to user-space.
(CVE-2012-6542, Low)

* Two information leak flaws were found in the Linux kernel's Asynchronous Transfer Mode (ATM) subsystem. A local, unprivileged user could use these flaws to leak kernel stack memory to user-space.
(CVE-2012-6546, Low)

* An information leak flaw was found in the TUN/TAP device driver in the Linux kernel's networking implementation. A local user with access to a TUN/TAP virtual interface could use this flaw to leak kernel stack memory to user-space. (CVE-2012-6547, Low)

Red Hat would like to thank the Xen project for reporting the CVE-2013-0216 and CVE-2013-0231 issues.

This update also fixes the following bugs :

* The IPv4 code did not correctly update the Maximum Transfer Unit (MTU) of the designed interface when receiving ICMP Fragmentation Needed packets. Consequently, a remote host did not respond correctly to ping attempts. With this update, the IPv4 code has been modified so the MTU of the designed interface is adjusted as expected in this situation. The ping command now provides the expected output.
(BZ#923353)

* Previously, the be2net code expected the last word of an MCC completion message from the firmware to be transferred by direct memory access (DMA) at once. However, this is not always true, and could therefore cause the BUG_ON() macro to be triggered in the be_mcc_compl_is_new() function, consequently leading to a kernel panic. The BUG_ON() macro has been removed from be_mcc_compl_is_new(), and the kernel panic no longer occurs in this scenario. (BZ#923910)

* Previously, the NFSv3 server incorrectly converted 64-bit cookies to 32-bit. Consequently, the cookies became invalid, which affected all file system operations depending on these cookies, such as the READDIR operation that is used to read entries from a directory. This led to various problems, such as exported directories being empty or displayed incorrectly, or an endless loop of the READDIRPLUS procedure which could potentially cause a buffer overflow. This update modifies knfsd code so that 64-bit cookies are now handled correctly and all file system operations work as expected. (BZ#924087)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2013-0747.

ID	Name	Product	Family	Severity
83618	SUSE SLES10 Security Update : kernel (SUSE-SU-2014:0536-1)	Nessus	SuSE Local Security Checks	medium
83611	SUSE SLES11 Security Update : kernel (SUSE-SU-2014:0287-1)	Nessus	SuSE Local Security Checks	high
83603	SUSE SLES10 Security Update : kernel (SUSE-SU-2013:1832-1)	Nessus	SuSE Local Security Checks	high
79170	CentOS 6 : kernel (CESA-2013:1645)	Nessus	CentOS Local Security Checks	medium
71490	Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20131121)	Nessus	Scientific Linux Local Security Checks	medium
71108	Oracle Linux 6 : kernel (ELSA-2013-1645)	Nessus	Oracle Linux Local Security Checks	medium
71013	RHEL 6 : kernel (RHSA-2013:1645)	Nessus	Red Hat Local Security Checks	medium
68856	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel Security (ELSA-2013-2534)	Nessus	Oracle Linux Local Security Checks	high
68855	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel Security (ELSA-2013-2525)	Nessus	Oracle Linux Local Security Checks	high
68809	Oracle Linux 5 : kernel (ELSA-2013-0747)	Nessus	Oracle Linux Local Security Checks	medium
68808	Oracle Linux 5 : kernel (ELSA-2013-0747-1)	Nessus	Oracle Linux Local Security Checks	medium
66431	Debian DSA-2668-1 : linux-2.6 - privilege escalation/denial of service/information leak	Nessus	Debian Local Security Checks	medium
66232	Ubuntu 10.04 LTS : linux-ec2 vulnerabilities (USN-1808-1)	Nessus	Ubuntu Local Security Checks	medium
66171	Ubuntu 10.04 LTS : linux vulnerabilities (USN-1805-1)	Nessus	Ubuntu Local Security Checks	medium
66016	Scientific Linux Security Update : kernel on SL5.x i386/x86_64 (20130416)	Nessus	Scientific Linux Local Security Checks	medium
65991	RHEL 5 : kernel (RHSA-2013:0747)	Nessus	Red Hat Local Security Checks	medium
65988	CentOS 5 : kernel (CESA-2013:0747)	Nessus	CentOS Local Security Checks	medium
801541	CentOS RHSA-2013-0747 Security Check	Log Correlation Engine	Generic	high

Detections

Analytics

CVE-2012-6542

medium

Tenable Plugins

medium

high

high

medium

medium

medium

medium

high

high

medium

medium

medium

medium

medium

medium

medium

medium

high