ALAS-2013-218

Amazon Linux 1 Security Advisory: ALAS-2013-218
Advisory Release Date: 2013-08-13 21:32 Pacific
Advisory Updated Date: 2014-09-15 23:25 Pacific

Severity: Medium

References: CVE-2012-6548 CVE-2013-0914 CVE-2013-1059 CVE-2013-1848 CVE-2013-2128 CVE-2013-2232 CVE-2013-2234 CVE-2013-2634 CVE-2013-2635 CVE-2013-2852 CVE-2013-3222 CVE-2013-3224 CVE-2013-3225 CVE-2013-3301
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

The udf_encode_fh function in fs/udf/namei.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application.

The ftrace implementation in the Linux kernel before 3.8.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for write access to the (1) set_ftrace_pid or (2) set_graph_function file, and then making an lseek system call.

The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux kernel before 3.8.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.

The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface.

The tcp_read_sock function in net/ipv4/tcp.c in the Linux kernel before 2.6.34 does not properly manage skb consumption, which allows local users to cause a denial of service (system crash) via a crafted splice system call for a TCP socket.

The rfcomm_sock_recvmsg function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message.

The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket.

The vcc_recvmsg function in net/atm/common.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

The flush_signal_handlers function in kernel/signal.c in the Linux kernel before 3.8.4 preserves the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call.

net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.

fs/ext3/super.c in the Linux kernel before 3.8.4 uses incorrect arguments to functions in certain circumstances related to printk input, which allows local users to conduct format-string attacks and possibly gain privileges via a crafted application.

net/ceph/auth_none.c in the Linux kernel through 3.10 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an auth_reply message that triggers an attempted build_request operation.

Affected Packages:

kernel

Issue Correction:
Run yum update kernel to update your system. You will need to reboot your system in order for the new kernel to be running.

New Packages:

i686:
    kernel-headers-3.4.57-48.42.amzn1.i686
    kernel-debuginfo-common-i686-3.4.57-48.42.amzn1.i686
    kernel-tools-3.4.57-48.42.amzn1.i686
    kernel-3.4.57-48.42.amzn1.i686
    kernel-devel-3.4.57-48.42.amzn1.i686
    kernel-debuginfo-3.4.57-48.42.amzn1.i686
    kernel-tools-debuginfo-3.4.57-48.42.amzn1.i686

noarch:
    kernel-doc-3.4.57-48.42.amzn1.noarch

src:
    kernel-3.4.57-48.42.amzn1.src

x86_64:
    kernel-tools-debuginfo-3.4.57-48.42.amzn1.x86_64
    kernel-tools-3.4.57-48.42.amzn1.x86_64
    kernel-3.4.57-48.42.amzn1.x86_64
    kernel-debuginfo-common-x86_64-3.4.57-48.42.amzn1.x86_64
    kernel-devel-3.4.57-48.42.amzn1.x86_64
    kernel-headers-3.4.57-48.42.amzn1.x86_64
    kernel-debuginfo-3.4.57-48.42.amzn1.x86_64

Additional References

Red Hat: CVE-2012-6548, CVE-2013-0914, CVE-2013-1059, CVE-2013-1848, CVE-2013-2128, CVE-2013-2232, CVE-2013-2234, CVE-2013-2634, CVE-2013-2635, CVE-2013-2852, CVE-2013-3222, CVE-2013-3224, CVE-2013-3225, CVE-2013-3301

Mitre: CVE-2012-6548, CVE-2013-0914, CVE-2013-1059, CVE-2013-1848, CVE-2013-2128, CVE-2013-2232, CVE-2013-2234, CVE-2013-2634, CVE-2013-2635, CVE-2013-2852, CVE-2013-3222, CVE-2013-3224, CVE-2013-3225, CVE-2013-3301