advisories/10697.adv

type: security
subject: Updated kernel packages fix multiple security vulnerabilities
CVE:
 - CVE-2013-0231
 - CVE-2013-2232
 - CVE-2013-2234
 - CVE-2013-2237
 - CVE-2013-2850
 - CVE-2013-2852
src:
  3:
   core:
     - kernel-3.8.13.4-1.mga3
     - kernel-userspace-headers-3.8.13.4-1.mga3
     - kmod-vboxadditions-4.2.12-14.mga3
     - kmod-virtualbox-4.2.12-14.mga3
     - kmod-xtables-addons-2.1-31.mga3
   nonfree:
     - fglrx-12.104-3.mga3.nonfree
     - kmod-broadcom-wl-5.100.82.112-83.mga3.nonfree
     - kmod-fglrx-12.104-10.mga3.nonfree
     - kmod-nvidia173-173.14.37-16.mga3.nonfree
     - kmod-nvidia304-304.88-15.mga3.nonfree
     - kmod-nvidia-current-319.17-7.mga3.nonfree
description: |
  This kernel update provides the extended stable 3.8.13.4 kernel and fixes
  the follwing security issues:
  
  The pciback_enable_msi function in the PCI backend driver 
  (drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux
  kernel 2.6.18 and 3.8 allows guest OS users with PCI device access to
  cause a denial of service via a large number of kernel log messages.
  (CVE-2013-0231 / XSA-43)
  
  ipv6: ip6_sk_dst_check() must not assume ipv6 dst
  It's possible to use AF_INET6 sockets and to connect to an IPv4
  destination. After this, socket dst cache is a pointer to a rtable,
  not rt6_info. This bug can be exploited by local non-root users
  to trigger various corruptions/crashes (CVE-2013-2232)
  
  af_key: fix info leaks in notify messages
  key_notify_sa_flush() and key_notify_policy_flush() miss to
  initialize the sadb_msg_reserved member of the broadcasted message
  and thereby leak 2 bytes of heap memory to listeners (CVE-2013-2234)
  
  af_key: initialize satype in key_notify_policy_flush()
  key_notify_policy_flush() miss to nitialize the sadb_msg_satype member
  of the broadcasted message and thereby leak heap memory to listeners
  (CVE-2013-2237)
  
  Heap-based buffer overflow in the iscsi_add_notunderstood_response function
  in drivers/target/iscsi/iscsi_target_parameters.c in the iSCSI target
  subsystem in the Linux kernel through 3.9.4 allows remote attackers to
  cause a denial of service (memory corruption and OOPS) or possibly execute
  arbitrary code via a long key that is not properly handled during
  construction of an error-response packet.
  A reproduction case requires patching open-iscsi to send overly large
  keys. Performing discovery in a loop will Oops the remote server.
  (CVE-2013-2850)
  
  Format string vulnerability in the b43_request_firmware function in
  drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in
  the Linux kernel through 3.9.4 allows local users to gain privileges by
  leveraging root access and including format string specifiers in an
  fwpostfix modprobe parameter, leading to improper construction of an
  error message. (CVE-2013-2852)
  
  Other fixes:
  - Fix up alx AR8161 breakage (mga #10079)
  - bcma: add support for BCM43142 (mga#9378, mga#10611)
  - net/tg3: Avoid delay during MMIO access
  - re-add aufs support (mga#8314)
  - enable support for more touchscreens
  - iommu/vt-d: add quirk for broken interrupt remapping on 55XX chipsets
  - rtlwifi: rtl8723ae: Fix typo in firmware names
  - rtlwifi: rtl8192cu: Fix problem in connecting to WEP or WPA(1) networks
  - md/raid10: fix two bugs affecting RAID10 reshape
  - crypto: algboss - Hold ref count on larval
  - perf: Disable monitoring on setuid processes for regular users
  - netfilter: nf_conntrack_ipv6: Plug sk_buff leak in fragment handling
  - enable X86_X2APIC, X86_REROUTE_FOR_BROKEN_BOOT_IRQS, FHANDLE
  - disable COMPAT_VDSO (not needed since glibc-2.3.3)
  - conflict too old plymouth to make cleaner upgrades (mga #10128)
    (fixes the errata for online upgraders)
  
  For other fixes in the extended stable update, see the referenced shortlog
references:
 - https://bugs.mageia.org/show_bug.cgi?id=10697
 - http://kernel.ubuntu.com/git?p=ubuntu/linux.git;h=refs/heads/linux-3.8.y;a=shortlog

ID: MGASA-2013-0204
1	type: security
2	subject: Updated kernel packages fix multiple security vulnerabilities
3	CVE:
4	- CVE-2013-0231
5	- CVE-2013-2232
6	- CVE-2013-2234
7	- CVE-2013-2237
8	- CVE-2013-2850
9	- CVE-2013-2852
10	src:
11	3:
12	core:
13	- kernel-3.8.13.4-1.mga3
14	- kernel-userspace-headers-3.8.13.4-1.mga3
15	- kmod-vboxadditions-4.2.12-14.mga3
16	- kmod-virtualbox-4.2.12-14.mga3
17	- kmod-xtables-addons-2.1-31.mga3
18	nonfree:
19	- fglrx-12.104-3.mga3.nonfree
20	- kmod-broadcom-wl-5.100.82.112-83.mga3.nonfree
21	- kmod-fglrx-12.104-10.mga3.nonfree
22	- kmod-nvidia173-173.14.37-16.mga3.nonfree
23	- kmod-nvidia304-304.88-15.mga3.nonfree
24	- kmod-nvidia-current-319.17-7.mga3.nonfree
25	description: \|
26	This kernel update provides the extended stable 3.8.13.4 kernel and fixes
27	the follwing security issues:
28
29	The pciback_enable_msi function in the PCI backend driver
30	(drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux
31	kernel 2.6.18 and 3.8 allows guest OS users with PCI device access to
32	cause a denial of service via a large number of kernel log messages.
33	(CVE-2013-0231 / XSA-43)
34
35	ipv6: ip6_sk_dst_check() must not assume ipv6 dst
36	It's possible to use AF_INET6 sockets and to connect to an IPv4
37	destination. After this, socket dst cache is a pointer to a rtable,
38	not rt6_info. This bug can be exploited by local non-root users
39	to trigger various corruptions/crashes (CVE-2013-2232)
40
41	af_key: fix info leaks in notify messages
42	key_notify_sa_flush() and key_notify_policy_flush() miss to
43	initialize the sadb_msg_reserved member of the broadcasted message
44	and thereby leak 2 bytes of heap memory to listeners (CVE-2013-2234)
45
46	af_key: initialize satype in key_notify_policy_flush()
47	key_notify_policy_flush() miss to nitialize the sadb_msg_satype member
48	of the broadcasted message and thereby leak heap memory to listeners
49	(CVE-2013-2237)
50
51	Heap-based buffer overflow in the iscsi_add_notunderstood_response function
52	in drivers/target/iscsi/iscsi_target_parameters.c in the iSCSI target
53	subsystem in the Linux kernel through 3.9.4 allows remote attackers to
54	cause a denial of service (memory corruption and OOPS) or possibly execute
55	arbitrary code via a long key that is not properly handled during
56	construction of an error-response packet.
57	A reproduction case requires patching open-iscsi to send overly large
58	keys. Performing discovery in a loop will Oops the remote server.
59	(CVE-2013-2850)
60
61	Format string vulnerability in the b43_request_firmware function in
62	drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in
63	the Linux kernel through 3.9.4 allows local users to gain privileges by
64	leveraging root access and including format string specifiers in an
65	fwpostfix modprobe parameter, leading to improper construction of an
66	error message. (CVE-2013-2852)
67
68	Other fixes:
69	- Fix up alx AR8161 breakage (mga #10079)
70	- bcma: add support for BCM43142 (mga#9378, mga#10611)
71	- net/tg3: Avoid delay during MMIO access
72	- re-add aufs support (mga#8314)
73	- enable support for more touchscreens
74	- iommu/vt-d: add quirk for broken interrupt remapping on 55XX chipsets
75	- rtlwifi: rtl8723ae: Fix typo in firmware names
76	- rtlwifi: rtl8192cu: Fix problem in connecting to WEP or WPA(1) networks
77	- md/raid10: fix two bugs affecting RAID10 reshape
78	- crypto: algboss - Hold ref count on larval
79	- perf: Disable monitoring on setuid processes for regular users
80	- netfilter: nf_conntrack_ipv6: Plug sk_buff leak in fragment handling
81	- enable X86_X2APIC, X86_REROUTE_FOR_BROKEN_BOOT_IRQS, FHANDLE
82	- disable COMPAT_VDSO (not needed since glibc-2.3.3)
83	- conflict too old plymouth to make cleaner upgrades (mga #10128)
84	(fixes the errata for online upgraders)
85
86	For other fixes in the extended stable update, see the referenced shortlog
87	references:
88	- https://bugs.mageia.org/show_bug.cgi?id=10697
89	- http://kernel.ubuntu.com/git?p=ubuntu/linux.git;h=refs/heads/linux-3.8.y;a=shortlog
90
91	ID: MGASA-2013-0204