-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:230 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : kernel Date : November 27, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been found and corrected in the Linux kernel: The WRMSR processing functionality in the KVM subsystem in the Linux kernel through 3.17.2 does not properly handle the writing of a non-canonical address to a model-specific register, which allows guest OS users to cause a denial of service (host OS crash) by leveraging guest OS privileges, related to the wrmsr_interception function in arch/x86/kvm/svm.c and the handle_wrmsr function in arch/x86/kvm/vmx.c (CVE-2014-3610). Race condition in the __kvm_migrate_pit_timer function in arch/x86/kvm/i8254.c in the KVM subsystem in the Linux kernel through 3.17.2 allows guest OS users to cause a denial of service (host OS crash) by leveraging incorrect PIT emulation (CVE-2014-3611). arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.12 does not have an exit handler for the INVEPT instruction, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application (CVE-2014-3645). arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel through 3.17.2 does not have an exit handler for the INVVPID instruction, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application (CVE-2014-3646). arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel through 3.17.2 does not properly perform RIP changes, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application (CVE-2014-3647). The SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of service (system crash) via a malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and net/sctp/sm_statefuns.c (CVE-2014-3673). The sctp_assoc_lookup_asconf_ack function in net/sctp/associola.c in the SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of service (panic) via duplicate ASCONF chunks that trigger an incorrect uncork within the side-effect interpreter (CVE-2014-3687). arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.17.2 on Intel processors does not ensure that the value in the CR4 control register remains the same after a VM entry, which allows host OS users to kill arbitrary processes or cause a denial of service (system disruption) by leveraging /dev/kvm access, as demonstrated by PR_SET_TSC prctl calls within a modified copy of QEMU (CVE-2014-3690). kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the perf subsystem, which allows local users to cause a denial of service (out-of-bounds read and OOPS) or bypass the ASLR protection mechanism via a crafted application (CVE-2014-7825). kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the ftrace subsystem, which allows local users to gain privileges or cause a denial of service (invalid pointer dereference) via a crafted application (CVE-2014-7826). The pivot_root implementation in fs/namespace.c in the Linux kernel through 3.17 does not properly interact with certain locations of a chroot directory, which allows local users to cause a denial of service (mount-tree loop) via . (dot) values in both arguments to the pivot_root system call (CVE-2014-7970). The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.17.2 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to cause a denial of service (host OS page unpinning) or possibly have unspecified other impact by leveraging guest OS privileges. NOTE: this vulnerability exists because of an incorrect fix for CVE-2014-3601 (CVE-2014-8369). The updated packages provides a solution for these security issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3610 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3611 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3645 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3646 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3647 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3673 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3687 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3690 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7825 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7826 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7970 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8369 _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: 844335653b0d9e326bd0a216f3ea302d mbs1/x86_64/cpupower-3.4.104-2.1.mbs1.x86_64.rpm 0944cdafdcb39a677b01248786a2a57b mbs1/x86_64/kernel-firmware-3.4.104-2.1.mbs1.noarch.rpm ba7ff021bc473448d12f34507ed3c421 mbs1/x86_64/kernel-headers-3.4.104-2.1.mbs1.x86_64.rpm c5da0b82ad77b075f6ce0390cafe4529 mbs1/x86_64/kernel-server-3.4.104-2.1.mbs1.x86_64.rpm 818764027cea7651b6eed4bdaefcb689 mbs1/x86_64/kernel-server-devel-3.4.104-2.1.mbs1.x86_64.rpm fb73af4d10dbfb744772697aeded569d mbs1/x86_64/kernel-source-3.4.104-2.mbs1.noarch.rpm cb9483eb41b264e9c0844098912dc303 mbs1/x86_64/lib64cpupower0-3.4.104-2.1.mbs1.x86_64.rpm bca76ebdff84f3fcb662ed40f337dab2 mbs1/x86_64/lib64cpupower-devel-3.4.104-2.1.mbs1.x86_64.rpm dd64b01e869b7cfb3c565310d4bcd445 mbs1/x86_64/perf-3.4.104-2.1.mbs1.x86_64.rpm 06db298a74aae5b928698a4ab1c5caf9 mbs1/SRPMS/cpupower-3.4.104-2.1.mbs1.src.rpm 096237c036ac96f145cce3045968ee53 mbs1/SRPMS/kernel-firmware-3.4.104-2.1.mbs1.src.rpm b28b50590a939c293d1f5b47a210a4d3 mbs1/SRPMS/kernel-headers-3.4.104-2.1.mbs1.src.rpm d6b2dd0334645247996a487d5b946fdc mbs1/SRPMS/kernel-server-3.4.104-2.1.mbs1.src.rpm 7457a1bb39e640bebe34b68857e04b54 mbs1/SRPMS/kernel-source-3.4.104-2.mbs1.src.rpm 45b43544167a6e121148276e9ddb6a49 mbs1/SRPMS/perf-3.4.104-2.1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFUdtH/mqjQ0CJFipgRAmCdAJ9EMBSGdIrGawNjl72V8cYCHhZhMgCg5g4t uKrF0GIY2y6H1sJCQMF3rZU= =MIBL -----END PGP SIGNATURE-----