[security-announce] Kernel: Security update

Sona Sarmadi sona.sarmadi at enea.com
Wed May 6 11:41:21 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		Enea Linux Security Advisory

=========================================================
Product/package: kernel (FSL kernel: 3.8.11)
Severity: Low
CVE Names: CVE-2014-9584
isofs: unchecked printing of ER records
Layer: meta-enea
=========================================================

This security update fixes an information leakage flaw in
the Linux kernel built with the iso9660 file system (CONFIG_ISO9660_FS).

Signed/SHA512 patch/README files
================================
0069-PPC-kernel-isofs-CVE-2014-9584.REAME.asc
0069-PPC-kernel-isofs-CVE-2014-9584.patch.asc
0069-PPC-kernel-isofs-CVE-2014-9584.patch.sha

Description
===========
The parse_rock_ridge_inode_internal function in fs/isofs/rock.c
in the Linux kernel before 3.18.2 does not validate a length
value in the Extensions Reference (ER) System Use Field, which
allows local users to obtain sensitive information from kernel
memory via a crafted iso9660 image.

References
==========
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9584
http://www.openwall.com/lists/oss-security/2015/01/09/4

How to apply the patches
=======================
- - - - - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing FSL kernel patches in the right order

wget https://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
cd Enea-Linux-4.0/poky/
<Fetch and apply the existing patches >

- - - - - Fetch and apply the new patch
cd Enea-Linux-4.0/poky/meta-enea
wget
https://linux.enea.com/4.0/patches/0069-PPC-kernel-isofs-CVE-2014-9584.p
atch.asc
patch -p1 < ./0069-PPC-kernel-isofs-CVE-2014-9584.patch.asc

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJVSeHBAAoJEHc+9u9ocWoUoG8QALAwRhDjl5xuYGM7wifHfIyl
t8gxfXYAit+AUqUXR/jlTj5W5Uu1oKUXWTs8X2ZfJuRWRXdTOWFQE/Pq/v9LvEr5
FbBu9f32qRWGxoL23HGghQj+z0wwXukaUE6xmQ/8iDwgOeF5jpYSS6hYjQaVs90y
yeTJICg2y0CW8qtFLrlcWCQWwx0XOtX7HKFtWVld2IuQPkK3rNenxcdyYKSdyF7e
GiZJ/LrEGDDh6IFieQPm0zCy+/8ryWje9WVHxvm4tjr+QCyTgsNZ0Pkna9Z85i6H
ZECecFnMwlB7R1wRf+G2HRSTXPKI9fn/WqGN0C3OXR9jYnNBqXYYHOQAEXCPLwJn
3h5rBB+kwSMFZPmd3X4hJSIZdQqyFkB5e27YP/Gj/GKMtltRWpIUIC0aJbISjUeJ
NZVMmqK1CSgVPzxnRDZmQkG6BH+cb2SWARiPOcOtktSvc2SLbh/j+Ne3d0/GdFUc
Sd5tfiJoe+WB5vZrdkDjeQpjq/6SeDwMRg4OBk4Y0d1vQlT4bsJVAue2yw+y4nZM
1+jvhkqdKnBZ7plgvice3HueAvUCRIMdG3k0EXs0iK89qKxbHf6fnOToEr44qHj2
ibBETYOF8IRD94CI2oDTBxhm0gdxgmbhtbwjTh8/HvMAs6+RS1MKLnRM0aqOnVCB
kkvewEKWXki8UlMZ1f7K
=uiOV
-----END PGP SIGNATURE-----



More information about the security-announce mailing list