LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: December 12th, 2014
Linux Security Week: December 9th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Debian: 2669-1: linux: privilege escalation/denial Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Debian Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: [More...]
- ----------------------------------------------------------------------
Debian Security Advisory DSA-2669-1                security@debian.org
http://www.debian.org/security/                           Dann Frazier
May 15, 2013                        http://www.debian.org/security/faq
- ----------------------------------------------------------------------

Package        : linux
Vulnerability  : privilege escalation/denial of service/information leak
Problem type   : local
Debian-specific: no
CVE Id(s)      : CVE-2013-0160 CVE-2013-1796 CVE-2013-1929 CVE-2013-1979
                 CVE-2013-2015 CVE-2013-2094 CVE-2013-3076 CVE-2013-3222
                 CVE-2013-3223 CVE-2013-3224 CVE-2013-3225 CVE-2013-3227
                 CVE-2013-3228 CVE-2013-3229 CVE-2013-3231 CVE-2013-3234
                 CVE-2013-3235 CVE-2013-3301

Several vulnerabilities have been discovered in the Linux kernel that may lead
to a denial of service, information leak or privilege escalation. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2013-0160

    vladz reported a timing leak with the /dev/ptmx character device. A local
    user could use this to determine sensitive information such as password
    length.

CVE-2013-1796

    Andrew Honig of Google reported an issue in the KVM subsystem. A user in
    a guest operating system could corrupt kernel memory, resulting in a
    denial of service.

CVE-2013-1929

    Oded Horovitz and Brad Spengler reported an issue in the device driver for
    Broadcom Tigon3 based gigabit Ethernet. Users with the ability to attach
    untrusted devices can create an overflow condition, resulting in a denial
    of service or elevated privileges.

CVE-2013-1979

    Andy Lutomirski reported an issue in the socket level control message
    processing subsystem. Local users maybe able to gain eleveated privileges.

CVE-2013-2015

    Theodore Ts'o provided a fix for an issue in the ext4 filesystem. Local
    users with the ability to mount a specially crafted filesystem can cause
    a denial of service (infinite loop).

CVE-2013-2094

    Tommie Rantala discovered an issue in the perf subsystem. An out-of-bounds
    access vulnerability allows local users to gain elevated privileges.

CVE-2013-3076

    Mathias Krauss discovered an issue in the userspace interface for hash
    algorithms. Local users can gain access to sensitive kernel memory.
    
CVE-2013-3222

    Mathias Krauss discovered an issue in the Asynchronous Transfer Mode (ATM)
    protocol support. Local users can gain access to sensitive kernel memory.

CVE-2013-3223

    Mathias Krauss discovered an issue in the Amateur Radio AX.25 protocol
    support. Local users can gain access to sensitive kernel memory.

CVE-2013-3224

    Mathias Krauss discovered an issue in the Bluetooth subsystem. Local users
    can gain access to sensitive kernel memory.

CVE-2013-3225

    Mathias Krauss discovered an issue in the Bluetooth RFCOMM protocol
    support. Local users can gain access to sensitive kernel memory.
    
CVE-2013-3227

    Mathias Krauss discovered an issue in the Communication CPU to Application
    CPU Interface (CAIF). Local users can gain access to sensitive kernel
    memory.

CVE-2013-3228

    Mathias Krauss discovered an issue in the IrDA (infrared) subsystem
    support. Local users can gain access to sensitive kernel memory.

CVE-2013-3229

    Mathias Krauss discovered an issue in the IUCV support on s390 systems.
    Local users can gain access to sensitive kernel memory.

CVE-2013-3231

    Mathias Krauss discovered an issue in the ANSI/IEEE 802.2 LLC type 2
    protocol support. Local users can gain access to sensitive kernel memory.

CVE-2013-3234

    Mathias Krauss discovered an issue in the Amateur Radio X.25 PLP (Rose)
    protocol support. Local users can gain access to sensitive kernel memory.

CVE-2013-3235

    Mathias Krauss discovered an issue in the Transparent Inter Process
    Communication (TIPC) protocol support. Local users can gain access to
    sensitive kernel memory.

CVE-2013-3301

    Namhyung Kim reported an issue in the tracing subsystem. A privileged
    local user could cause a denial of service (system crash). This
    vulnerabililty is not applicable to Debian systems by default.

For the stable distribution (wheezy), this problem has been fixed in version
3.2.41-2+deb7u1.

Note: Updates are currently available for the amd64, i386, ia64, s390, s390x
and sparc architectures. Updates for the remaining architectures will be
released as they become available.

The following matrix lists additional source packages that were rebuilt for
compatibility with or to take advantage of this update:

                                             Debian 7.0 (wheezy)
     user-mode-linux                         3.2-2um-1+deb7u1

We recommend that you upgrade your linux and user-mode-linux packages.

Note: Debian carefully tracks all known security issues across every
linux kernel package in all releases under active security support.
However, given the high frequency at which low-severity security
issues are discovered in the kernel and the resource requirements of
doing an update, updates for lower priority issues will normally not
be released for all kernels at the same time. Rather, they will be
released in a staggered or "leap-frog" fashion.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
University of California, Berkeley Hacked, Data Compromised
London teen pleads guilty to Spamhaus DDoS
New England security group shares threat intelligence, strives to bolster region
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.