Bug 475638 (CVE-2013-2224)

Summary:	<sys-kernel/openvz-sources-2.6.32.78.27 - local unprivileged user could crash the system resulting in DoS (CVE-2013-2224)
Product:	Gentoo Security	Reporter:	Joakim <moonwalker>
Component:	Kernel	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	alexander, andreis.vinogradovs, pinkbyte, proxy-maint, vserver-devs+disabled
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [noglsa]
Package list:		Runtime testing required:	---

Description Joakim 2013-07-03 16:44:59 UTC

The currently stable gentoo ebuild openvz-sources-2.6.32.78.26 has a security problem and was replaced by openvz-sources-2.6.32.78.27

http://wiki.openvz.org/Download/kernel/rhel6/042stab078.27
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2224

Please bump asap

Thanks

Comment 1 Agostino Sarubbo gentoo-dev

2013-07-04 19:12:11 UTC

@pva, could you confirm the issue?

Comment 2 Andreis Vinogradovs ( slepnoga ) 2013-07-05 06:05:09 UTC

(In reply to Agostino Sarubbo from comment #1)
> @pva, could you confirm the issue?

I'm not pva ;), but ,yes, i confirm this;
I plan to bump it this weekend.

Comment 3 Sergey Popov gentoo-dev

2013-07-15 15:09:18 UTC

2.6.32.78.28 is in tree now, let's stabilize it

Target keywords: amd64 x86

Comment 4 Peter Volkov (RETIRED) gentoo-dev

2013-07-17 17:56:54 UTC

amd64/x86 stable.

Comment 5 Chris Reffett (RETIRED) gentoo-dev

2013-08-29 17:12:31 UTC

Kernels don't get GLSAs. Closing.

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2013-08-29 22:46:26 UTC

CVE-2013-2224 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2224):
  A certain Red Hat patch for the Linux kernel 2.6.32 on Red Hat Enterprise
  Linux (RHEL) 6 allows local users to cause a denial of service (invalid free
  operation and system crash) or possibly gain privileges via a sendmsg system
  call with the IP_RETOPTS option, as demonstrated by hemlock.c.  NOTE: this
  vulnerability exists because of an incorrect fix for CVE-2012-3552.