From ${URL} : http://marc.info/?l=linux-input&m=137772180514608&w=1 0001-HID-validate-HID-report-id-size.patch CVE-2013-2888 Requires CONFIG_HID Memory write via arbitrary heap array index. This is the most serious, IMO, as it allows (on 32-bit) access to the entire memory range (the index is unsigned 32 bit). This is mitigated slightly by the fact that the starting address is at an "unknown" location on the heap, and that the value written is an "arbitrary" kernel pointer. Still, this could almost certainly be turned into full kernel execution given enough study. http://marc.info/?l=linux-input&m=137772181214612&w=1 0002-HID-provide-a-helper-for-validating-hid-reports.patch Routine that many of the driver fixes use to verify their report sanity. http://marc.info/?l=linux-input&m=137772182014614&w=1 0003-HID-zeroplus-validate-output-report-details.patch CVE-2013-2889 Requires CONFIG_HID_ZEROPLUS Small past-end-of-heap-alloc zeroing. http://marc.info/?l=linux-input&m=137772182814616&w=1 0004-HID-sony-validate-HID-output-report-details.patch CVE-2013-2890 Requires CONFIG_HID_SONY Small past-end-of-heap-alloc zeroing http://marc.info/?l=linux-input&m=137772184614622&w=1 0005-HID-steelseries-validate-output-report-details.patch CVE-2013-2891 Requires CONFIG_HID_STEELSERIES 16 byte past-end-of-heap-alloc zeroing http://marc.info/?l=linux-input&m=137772185414625&w=1 0006-HID-pantherlord-validate-output-report-details.patch CVE-2013-2892 Requires CONFIG_HID_PANTHERLORD Small past-end-of-heap-alloc zeroing http://marc.info/?l=linux-input&m=137772186714627&w=1 0007-HID-LG-validate-HID-output-report-details.patch CVE-2013-2893 Requires CONFIG_LOGITECH_FF or CONFIG_LOGIG940_FF or CONFIG_LOGIWHEELS_FF Userspace-assisted small past-end-of-heap-alloc zeroing http://marc.info/?l=linux-input&m=137772187514628&w=1 0008-HID-lenovo-tpkbd-validate-output-report-details.patch CVE-2013-2894 Requires CONFIG_HID_LENOVO_TPKBD Small past-end-of-heap-alloc zeroing http://marc.info/?l=linux-input&m=137772188314631&w=1 0009-HID-logitech-dj-validate-output-report-details.patch CVE-2013-2895 Requires CONFIG_HID_LOGITECH_DJ Can leak up to 12K of kernel memory contents to device, or NULL deref Oops DoS http://marc.info/?l=linux-input&m=137772189314633&w=1 0010-HID-ntrig-validate-feature-report-details.patch CVE-2013-2896 Requires CONFIG_HID_NTRIG Triggers NULL deref Oops DoS http://marc.info/?l=linux-input&m=137772190214635&w=1 0011-HID-multitouch-validate-feature-report-details.patch CVE-2013-2897 Requires CONFIG_HID_MULTITOUCH Slightly flexible heap overwrite with static value 0x2, or NULL deref Oops DoS http://marc.info/?l=linux-input&m=137772191114645&w=1 0012-HID-sensor-hub-validate-feature-report-details.patch CVE-2013-2898 Requires CONFIG_HID_SENSOR_HUB Potential kernel caller confusion via past-end-of-heap-allocation read http://marc.info/?l=linux-input&m=137772191714649&w=1 0013-HID-picolcd_core-validate-output-report-details.patch CVE-2013-2899 Requires CONFIG_HID_PICOLCD Userspace-assisted NULL deref Oops DoS http://marc.info/?t=137772196600012&r=1&w=1 0014-HID-check-for-NULL-field-when-setting-values.patch Just a defensive change, since several drivers would have been less vulnerable with this check.
Tried to apply to 3.8.13 and 3.10.7; from the looks of it, seems they need to be backported to apply. They are probably written to target 3.11. I'll wait a small bit for upstream to backport these unless someone is willing to rewrite the patches. If not, I might backport these as I am working on a merge workflow to more easily rewrite patches (for the upcoming experimental patches).
CVE-2013-2899 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2899): drivers/hid/hid-picolcd_core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_PICOLCD is enabled, allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) via a crafted device. CVE-2013-2898 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2898): drivers/hid/hid-sensor-hub.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_SENSOR_HUB is enabled, allows physically proximate attackers to obtain sensitive information from kernel memory via a crafted device. CVE-2013-2897 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2897): Multiple array index errors in drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate attackers to cause a denial of service (heap memory corruption, or NULL pointer dereference and OOPS) via a crafted device. CVE-2013-2896 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2896): drivers/hid/hid-ntrig.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_NTRIG is enabled, allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) via a crafted device. CVE-2013-2895 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2895): drivers/hid/hid-logitech-dj.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_LOGITECH_DJ is enabled, allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) or obtain sensitive information from kernel memory via a crafted device. CVE-2013-2894 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2894): drivers/hid/hid-lenovo-tpkbd.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_LENOVO_TPKBD is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device. CVE-2013-2893 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2893): The Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device, related to (1) drivers/hid/hid-lgff.c, (2) drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c. CVE-2013-2892 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2892): drivers/hid/hid-pl.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_PANTHERLORD is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device. CVE-2013-2891 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2891): drivers/hid/hid-steelseries.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_STEELSERIES is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device. CVE-2013-2890 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2890): drivers/hid/hid-sony.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_SONY is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device. CVE-2013-2889 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2889): drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_ZEROPLUS is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device. CVE-2013-2888 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2888): Multiple array index errors in drivers/hid/hid-core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11 allow physically proximate attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted device that provides an invalid Report ID.
Now that this is revised in stable queue I have managed to apply these; 2890 has been covered by the revised patch for 2888, 2893 I couldn't find and 2897 a revised patch was made because the original has shown to be problematic @ Fedora. We can be glad to have not backported some of these earlier... Will be part of 3.10.7-r1 and new version bumps.
Looks like these were merged as 22e04f6b4b04a8afe9af9239224591d06ba3b24d, in 3.12.