advisories/10651.adv

type: security
subject: Updated kernel packages fix multiple security vulnerabilities
CVE:
 - CVE-2013-0231
 - CVE-2013-2232
 - CVE-2013-2234
 - CVE-2013-2237
 - CVE-2013-2850
 - CVE-2013-2852
src:
  2:
   core:
    - kernel-3.4.52-1.mga2
    - kernel-userspace-headers-3.4.52-1.mga2
    - kmod-vboxadditions-4.1.24-11.mga2
    - kmod-virtualbox-4.1.24-11.mga2
    - kmod-xtables-addons-1.41-28.mga2
   nonfree: 
    - kmod-broadcom-wl-5.100.82.112-48.mga2.nonfree
    - kmod-fglrx-8.961-24.mga2.nonfree
    - kmod-nvidia173-173.14.36-14.mga2.nonfree
    - kmod-nvidia96xx-96.43.23-15.mga2.nonfree
    - kmod-nvidia-current-295.71-19.mga2.nonfree
description: |
  This kernel update provides the upstream 3.4.52 kernel and fixes
  the following security issues:

  The pciback_enable_msi function in the PCI backend driver 
  (drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux
  kernel 2.6.18 and 3.8 allows guest OS users with PCI device access to
  cause a denial of service via a large number of kernel log messages.
  (CVE-2013-0231 / XSA-43)

  ipv6: ip6_sk_dst_check() must not assume ipv6 dst
  It's possible to use AF_INET6 sockets and to connect to an IPv4
  destination. After this, socket dst cache is a pointer to a rtable,
  not rt6_info. This bug can be exploited by local non-root users
  to trigger various corruptions/crashes (CVE-2013-2232)

  af_key: fix info leaks in notify messages
  key_notify_sa_flush() and key_notify_policy_flush() miss to
  initialize the sadb_msg_reserved member of the broadcasted message
  and thereby leak 2 bytes of heap memory to listeners (CVE-2013-2234)

  af_key: initialize satype in key_notify_policy_flush()
  key_notify_policy_flush() miss to nitialize the sadb_msg_satype member
  of the broadcasted message and thereby leak heap memory to listeners
  (CVE-2013-2237)

  Heap-based buffer overflow in the iscsi_add_notunderstood_response function
  in drivers/target/iscsi/iscsi_target_parameters.c in the iSCSI target
  subsystem in the Linux kernel through 3.9.4 allows remote attackers to
  cause a denial of service (memory corruption and OOPS) or possibly execute
  arbitrary code via a long key that is not properly handled during
  construction of an error-response packet.
  A reproduction case requires patching open-iscsi to send overly large
  keys. Performing discovery in a loop will Oops the remote server.
  (CVE-2013-2850)

  Format string vulnerability in the b43_request_firmware function in
  drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in
  the Linux kernel through 3.9.4 allows local users to gain privileges by
  leveraging root access and including format string specifiers in an
  fwpostfix modprobe parameter, leading to improper construction of an
  error message. (CVE-2013-2852)

  Other fixes:
  Fix up alx AR8161 breakage (mga #10079)

  For other -stable fixes, read the referenced changelogs
references:
  - https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.46
  - https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.47
  - https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.48
  - https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.49
  - https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.50
  - https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.51
  - https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.52
  - https://bugs.mageia.org/show_bug.cgi?id=10651
1	claire	141	type: security
2			subject: Updated kernel packages fix multiple security vulnerabilities
3			CVE:
4			- CVE-2013-0231
5			- CVE-2013-2232
6			- CVE-2013-2234
7			- CVE-2013-2237
8			- CVE-2013-2850
9			- CVE-2013-2852
10			src:
11			2:
12			core:
13			- kernel-3.4.52-1.mga2
14			- kernel-userspace-headers-3.4.52-1.mga2
15			- kmod-vboxadditions-4.1.24-11.mga2
16			- kmod-virtualbox-4.1.24-11.mga2
17			- kmod-xtables-addons-1.41-28.mga2
18			nonfree:
19			- kmod-broadcom-wl-5.100.82.112-48.mga2.nonfree
20			- kmod-fglrx-8.961-24.mga2.nonfree
21			- kmod-nvidia173-173.14.36-14.mga2.nonfree
22			- kmod-nvidia96xx-96.43.23-15.mga2.nonfree
23			- kmod-nvidia-current-295.71-19.mga2.nonfree
24			description: \|
25			This kernel update provides the upstream 3.4.52 kernel and fixes
26			the following security issues:
27
28			The pciback_enable_msi function in the PCI backend driver
29			(drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux
30			kernel 2.6.18 and 3.8 allows guest OS users with PCI device access to
31			cause a denial of service via a large number of kernel log messages.
32			(CVE-2013-0231 / XSA-43)
33
34			ipv6: ip6_sk_dst_check() must not assume ipv6 dst
35			It's possible to use AF_INET6 sockets and to connect to an IPv4
36			destination. After this, socket dst cache is a pointer to a rtable,
37			not rt6_info. This bug can be exploited by local non-root users
38			to trigger various corruptions/crashes (CVE-2013-2232)
39
40			af_key: fix info leaks in notify messages
41			key_notify_sa_flush() and key_notify_policy_flush() miss to
42			initialize the sadb_msg_reserved member of the broadcasted message
43			and thereby leak 2 bytes of heap memory to listeners (CVE-2013-2234)
44
45			af_key: initialize satype in key_notify_policy_flush()
46			key_notify_policy_flush() miss to nitialize the sadb_msg_satype member
47			of the broadcasted message and thereby leak heap memory to listeners
48			(CVE-2013-2237)
49
50			Heap-based buffer overflow in the iscsi_add_notunderstood_response function
51			in drivers/target/iscsi/iscsi_target_parameters.c in the iSCSI target
52			subsystem in the Linux kernel through 3.9.4 allows remote attackers to
53			cause a denial of service (memory corruption and OOPS) or possibly execute
54			arbitrary code via a long key that is not properly handled during
55			construction of an error-response packet.
56			A reproduction case requires patching open-iscsi to send overly large
57			keys. Performing discovery in a loop will Oops the remote server.
58			(CVE-2013-2850)
59
60			Format string vulnerability in the b43_request_firmware function in
61			drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in
62			the Linux kernel through 3.9.4 allows local users to gain privileges by
63			leveraging root access and including format string specifiers in an
64			fwpostfix modprobe parameter, leading to improper construction of an
65			error message. (CVE-2013-2852)
66
67			Other fixes:
68			Fix up alx AR8161 breakage (mga #10079)
69
70			For other -stable fixes, read the referenced changelogs
71			references:
72			- https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.46
73			- https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.47
74			- https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.48
75			- https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.49
76			- https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.50
77			- https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.51
78			- https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.52
79			- https://bugs.mageia.org/show_bug.cgi?id=10651