[security-announce] Kernel/n_tty security update

Sona Sarmadi sona.sarmadi at enea.com
Wed Jan 7 15:09:03 CET 2015


					
=====================================================
Product: Kernel/n_tty
Severity: Important
Issue date: 2015-01-07
CVE Names: CVE-2014-0196
===================================================== 
A security patch that fixes CVE-2014-0196 is now available in the "http://linux.enea.com/4.0/patches" folder. 

Patch file: 0009-kernel-n_tty-CVE-2014-0196.patch
README file: 0009-kernel-n_tty-CVE-2014-0196.README

Description
===========
The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not 
properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users 
to cause a denial of service (memory corruption and system crash) or gain privileges by 
triggering a race condition involving read and write operations with long strings. 

References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2014-0196
 
How to apply the patches
=========================
If you don't have installed the Enea Linux 4.0 Release:
 
# wget http://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
# tar zxvf Enea-Linux-4.0.tar.gz
 
If you have already installed the Enea Linux 4.0 Release:
 
# cd Enea-Linux-4.0/poky/meta-enea
# wget http://linux.enea.com/4.0/patches/0009-kernel-n_tty-CVE-2014-0196.patch
# patch -p1 < ./0009-kernel-n_tty-CVE-2014-0196.patch
 
If you have any questions regarding the security patches and security updates please contact security at enea.com.
 
ESRT (Enea Security Response Team)
Sona Sarmadi
Software Engineer/Security Responsible for Enea Linux
Enea
Jan Stenbecks torg 17,
Box 1033, SE-164 21 Kista, Sweden
Direct: +46 8 5071  4475
Mobile: +46 70 971 4475
sona.sarmadi at enea.com
www.enea.com 

This message, including attachments, is CONFIDENTIAL. It may also be privileged or otherwise protected by law. If you received this email by mistake please let us know by reply and then delete it from your system; you should not copy it or disclose its contents to anyone.




More information about the security-announce mailing list