From: 1)http://www.openwall.com/lists/oss-security/2013/02/20/3 2)http://www.openwall.com/lists/oss-security/2013/02/20/2 3)http://www.openwall.com/lists/oss-security/2013/02/20/1 If a single descriptor crosses a region, the second chunk length should be decremented by size translated so far, instead it includes the full descriptor length. A privileged guest user could use this flaw to crash the host or, potentially, corrupt host memory. Upstream fix: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=bd97120fc3d1a11f3124c7c9ba1d91f51829eb85 References: https://bugzilla.redhat.com/show_bug.cgi?id=912905 -------- The skb argument to cipso_v4_validate() is NULL when called via the setsockopt() syscall. An local user able to set CIPSO IP options on the socket could use this flaw to crash the system. Upstream fix: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=89d7ae34cdda4195809a5a987f697a517a2a3177 References: https://bugzilla.redhat.com/show_bug.cgi?id=912900 --------- Most VM places are using pmd_none but a few are still using pmd_present. The meaning is about the same for the pmd. However pmd_present would return the wrong value on PROT_NONE ranges. When the code using pmd_present gets a false negative, the kernel will crash. An unprivileged local user could use this flaw to crash the system. Upstream fix: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;h=027ef6c8 References: https://bugzilla.redhat.com/show_bug.cgi?id=912898
CVE-2013-0311 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0311): The translate_desc function in drivers/vhost/vhost.c in the Linux kernel before 3.7 does not properly handle cross-region descriptors, which allows guest OS users to obtain host OS privileges by leveraging KVM guest OS privileges. CVE-2013-0310 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0310): The cipso_v4_validate function in net/ipv4/cipso_ipv4.c in the Linux kernel before 3.4.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an IPOPT_CIPSO IP_OPTIONS setsockopt system call. CVE-2013-0309 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0309): arch/x86/include/asm/pgtable.h in the Linux kernel before 3.6.2, when transparent huge pages are used, does not properly support PROT_NONE memory regions, which allows local users to cause a denial of service (system crash) via a crafted application.
There are no longer any 2.x or <3.7 kernels available in the repository with the exception of sys-kernel/xbox-sources which is unsupported by security.