(RHSA-2013:0829) Important: kernel-rt security and bug fix update

Security fixes:

• It was found that the kernel-rt update RHBA-2012:0044 introduced an
  integer conversion issue in the Linux kernel’s Performance Events
  implementation. This led to a user-supplied index into the
  perf_swevent_enabled array not being validated properly, resulting in
  out-of-bounds kernel memory access. A local, unprivileged user could use
  this flaw to escalate their privileges. (CVE-2013-2094, Important)

A public exploit for CVE-2013-2094 that affects Red Hat Enterprise MRG 2 is
available. Refer to Red Hat Knowledge Solution 373743, linked to in the
References, for further information and mitigation instructions for users
who are unable to immediately apply this update.

• An integer overflow flaw, leading to a heap-based buffer overflow, was
  found in the way the Intel i915 driver in the Linux kernel handled the
  allocation of the buffer used for relocation copies. A local user with
  console access could use this flaw to cause a denial of service or escalate
  their privileges. (CVE-2013-0913, Important)

• It was found that the Linux kernel used effective user and group IDs
  instead of real ones when passing messages with SCM_CREDENTIALS ancillary
  data. A local, unprivileged user could leverage this flaw with a set user
  ID (setuid) application, allowing them to escalate their privileges.
  (CVE-2013-1979, Important)

• A race condition in install_user_keyrings(), leading to a NULL pointer
  dereference, was found in the key management facility. A local,
  unprivileged user could use this flaw to cause a denial of service.
  (CVE-2013-1792, Moderate)

• A NULL pointer dereference flaw was found in the Linux kernel’s XFS file
  system implementation. A local user who is able to mount an XFS file
  system could use this flaw to cause a denial of service. (CVE-2013-1819,
  Moderate)

• An information leak was found in the Linux kernel’s POSIX signals
  implementation. A local, unprivileged user could use this flaw to bypass
  the Address Space Layout Randomization (ASLR) security feature.
  (CVE-2013-0914, Low)

• A use-after-free flaw was found in the tmpfs implementation. A local user
  able to mount and unmount a tmpfs file system could use this flaw to cause
  a denial of service or, potentially, escalate their privileges.
  (CVE-2013-1767, Low)

• A NULL pointer dereference flaw was found in the Linux kernel’s USB
  Inside Out Edgeport Serial Driver implementation. A local user with
  physical access to a system and with access to a USB device’s tty file
  could use this flaw to cause a denial of service. (CVE-2013-1774, Low)

• A format string flaw was found in the ext3_msg() function in the Linux
  kernel’s ext3 file system implementation. A local user who is able to
  mount an ext3 file system could use this flaw to cause a denial of service
  or, potentially, escalate their privileges. (CVE-2013-1848, Low)

• A heap-based buffer overflow flaw was found in the Linux kernel’s
  cdc-wdm driver, used for USB CDC WCM device management. An attacker with
  physical access to a system could use this flaw to cause a denial of
  service or, potentially, escalate their privileges. (CVE-2013-1860, Low)

• A heap-based buffer overflow in the way the tg3 Ethernet driver parsed
  the vital product data (VPD) of devices could allow an attacker with
  physical access to a system to cause a denial of service or, potentially,
  escalate their privileges. (CVE-2013-1929, Low)

• Information leaks in the Linux kernel’s cryptographic API could allow a
  local user who has the CAP_NET_ADMIN capability to leak kernel stack memory
  to user-space. (CVE-2013-2546, CVE-2013-2547, CVE-2013-2548, Low)

• Information leaks in the Linux kernel could allow a local, unprivileged
  user to leak kernel stack memory to user-space. (CVE-2013-2634,
  CVE-2013-2635, CVE-2013-3076, CVE-2013-3222, CVE-2013-3224, CVE-2013-3225,
  CVE-2013-3231, Low)

Red Hat would like to thank Andy Lutomirski for reporting CVE-2013-1979.
CVE-2013-1792 was discovered by Mateusz Guzik of Red Hat EMEA GSS SEG Team.