ALAS-2013-200


Amazon Linux AMI Security Advisory: ALAS-2013-200
Advisory Release Date: 2014-09-15 23:11 Pacific
Severity: Medium

Issue Overview:

Heap-based buffer overflow in the tg3_read_vpd function in drivers/net/ethernet/broadcom/tg3.c in the Linux kernel before 3.8.6 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via crafted firmware that specifies a long string in the Vital Product Data (VPD) data structure.

Use-after-free vulnerability in the shmem_remount_fs function in mm/shmem.c in the Linux kernel before 3.7.10 allows local users to gain privileges or cause a denial of service (system crash) by remounting a tmpfs filesystem without specifying a required mpol (aka mempolicy) mount option.

The vcc_recvmsg function in net/atm/common.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

The flush_signal_handlers function in kernel/signal.c in the Linux kernel before 3.8.4 preserves the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call.

The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure and a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

Buffer overflow in the VFAT filesystem implementation in the Linux kernel before 3.3 allows local users to gain privileges or cause a denial of service (system crash) via a VFAT write operation on a filesystem with the utf8 mount option, which is not properly handled during UTF-8 to UTF-16 conversion.

The Bluetooth RFCOMM implementation in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application.

The Bluetooth protocol stack in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation.

The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.


Affected Packages:

kernel


Issue Correction:
Run yum update kernel to update your system. You will need to reboot your system in order for the new kernel to be running.

New Packages:
i686:
    kernel-debuginfo-common-i686-3.4.48-45.46.amzn1.i686
    kernel-tools-debuginfo-3.4.48-45.46.amzn1.i686
    kernel-debuginfo-3.4.48-45.46.amzn1.i686
    kernel-tools-3.4.48-45.46.amzn1.i686
    kernel-headers-3.4.48-45.46.amzn1.i686
    kernel-devel-3.4.48-45.46.amzn1.i686
    kernel-3.4.48-45.46.amzn1.i686

noarch:
    kernel-doc-3.4.48-45.46.amzn1.noarch

src:
    kernel-3.4.48-45.46.amzn1.src

x86_64:
    kernel-tools-3.4.48-45.46.amzn1.x86_64
    kernel-tools-debuginfo-3.4.48-45.46.amzn1.x86_64
    kernel-debuginfo-3.4.48-45.46.amzn1.x86_64
    kernel-headers-3.4.48-45.46.amzn1.x86_64
    kernel-3.4.48-45.46.amzn1.x86_64
    kernel-debuginfo-common-x86_64-3.4.48-45.46.amzn1.x86_64
    kernel-devel-3.4.48-45.46.amzn1.x86_64