[v2.7] kernel: multiple issues (CVE-2014-9584, CVE-2014-8989, CVE-2014-9420, CVE-2014-9419)
The Linux kernel is vulnerable to multiple issues found below.
Affected versions: < 3.10.64 (Alpine Linux v2.6, v2.7); < 3.14.28 (Alpine Linux v3.0, v3.1)
CVE-2014-9584: kernel: isofs: unchecked printing of ER records
The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in
the Linux kernel before 3.18.2 does not validate a length value in the
Extensions Reference (ER) System Use Field, which allows local users to
obtain sensitive information from kernel memory via a crafted iso9660
image.
Upstream:
https://github.com/torvalds/linux/commit/4e2024624e678f0ebb916e6192bd23c1f9fdf696
3.10.y: fixed in 3.10.64:
https://github.com/torvalds/linux/commit/684f4c093f182756a1c1f582c415d3120cc7f5e8
3.14.y: fixed in 3.14.28:
https://github.com/torvalds/linux/commit/a3d4f59634f38d5236b182b403df74bbceeac7c9
http://seclists.org/oss-sec/2015/q1/99
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9584
CONFIRM:http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=4e2024624e678f0ebb916e6192bd23c1f9fdf696
CVE-2014-8989:
The Linux kernel through 3.17.4 does not properly restrict dropping of
supplemental group memberships in certain namespace scenarios, which
allows local users to bypass intended file permissions by leveraging a
POSIX ACL containing an entry for the group category that is more
restrictive than the entry for the other category, aka a “negative
groups” issue, related to kernel/groups.c, kernel/uid16.c, and
kernel/user_namespace.c.
Upstream:
https://github.com/torvalds/linux/commit/f95d7918bd1e724675de4940039f2865e5eec5fe
https://github.com/torvalds/linux/commit/80dd00a23784b384ccea049bfb3f259d3f973b9d
https://github.com/torvalds/linux/commit/be7c6dba2332cef0677fbabb606e279ae76652c3
https://github.com/torvalds/linux/commit/273d2c67c3e179adb1e74f403d1e9a06e3f841b5
https://github.com/torvalds/linux/commit/0542f17bf2c1f2430d368f44c8fcf2f82ec9e53e
3.10.y: fixed in 3.10.64:
https://github.com/torvalds/linux/commit/a1821391e5072029118857f6ebb27f3cf66b9f33
https://github.com/torvalds/linux/commit/f028f2d73293b65a5e58ee7468a8683b39fd912c
https://github.com/torvalds/linux/commit/ba0922adbd2ccffe444608298ae0506401eac4c3
https://github.com/torvalds/linux/commit/fc9b65e3d7703e6d63875b0b233bbe26a4a513ba
https://github.com/torvalds/linux/commit/b8a0441b542f6d6bd6fda46cc735ae71392cb845
3.14.y: fixed in 3.14.28:
https://github.com/torvalds/linux/commit/7faecd49fcc937d1ea700a8dc46bbc90b88f4ff4
https://github.com/torvalds/linux/commit/ea7c8d3da1bd9b90fd96d4b357c869b93552ee21
https://github.com/torvalds/linux/commit/804733ad85b1ab68812fa438b3b4133d1d85581a
https://github.com/torvalds/linux/commit/f077e88fc9f0befcf0441be2fed9516881ab02ef
https://github.com/torvalds/linux/commit/096b0c8d7033ef56d4c0eb13a29865a021eedea5
http://seclists.org/oss-sec/2014/q4/698
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8989
https://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.10.64
CVE-2014-9420: kernel: fs: isofs: infinite loop in CE records
The rock_continue function in fs/isofs/rock.c in the Linux kernel
through 3.18.1 does not restrict the number of Rock Ridge continuation
entries, which allows local users to cause a denial of service (infinite
loop, and system crash or hang) via a crafted iso9660 image.
Upstream:
https://github.com/torvalds/linux/commit/f54e18f1b831c92f6512d2eedb224cd63d607d3d
3.10.y: fixed in 3.10.64:
https://github.com/torvalds/linux/commit/1fe5620fcd6c2f0a4a927ee10c8e53196da392f3
3.14.y: fixed in 3.14.28:
https://github.com/torvalds/linux/commit/8190393a88f2b0321263a54f2a9eb5a2aa43be7e
http://seclists.org/oss-sec/2014/q4/1143
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9420
CONFIRM:http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f54e18f1b831c92f6512d2eedb224cd63d607d3d
CVE-2014-9419: Linux x86_64 userspace address leak
The __switch_to function in arch/x86/kernel/process_64.c in the
Linux kernel through 3.18.1 does not ensure that Thread Local Storage
(TLS) descriptors are loaded before proceeding with other steps, which
makes it easier for local users to bypass the ASLR protection mechanism
via a crafted application that reads a TLS base address.
Upstream:
https://github.com/torvalds/linux/commit/f647d7c155f069c1a068030255c300663516420e
3.10.y: fixed in 3.10.64:
https://github.com/torvalds/linux/commit/cb7977a9a8f74fa555a893c052f82a826cc66231
3.14.y: fixed in 3.14.28:
https://github.com/torvalds/linux/commit/b7e804ab2e46308e54c0ec2b9e242271a455ddb8
http://seclists.org/oss-sec/2014/q4/1140
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9419
CONFIRM:http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f647d7c155f069c1a068030255c300663516420e
(from redmine: issue id 3924, created on 2015-02-10, closed on 2017-09-05)
- Relations:
- parent #3922