[security-announce] Kernel-HID/USB: Security update

Sona Sarmadi sona.sarmadi at enea.com
Thu Jan 22 07:31:10 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		Enea Linux Security Advisory

======================================================================
Product/package: Kernel-HID/USB: (FSL kernel: 3.8.11)
Severity: Moderate
Issue date: 2015-01-22
CVE Names: CVE-2014-3181, CVE-2014-3182, CVE-2014-3184, CVE-2014-3185
Layer: meta-enea
======================================================================
A security patch that fixes following CVEs is now
available in the "http://linux.enea.com/4.0/patches" folder:

CVE-2014-3181 Kernel: HID: OOB write in magicmouse driver Moderate
CVE-2014-3182 Kernel: HID: logitech-dj OOB array access Low
CVE-2014-3184 Kernel: HID: off by one error in various _report_fixup
routines Low
CVE-2014-3185 Kernel: USB serial: memory corruption flaw Moderate

README file: 0018-Kernel-HID-USB-multiple-CVEs.README
Patch file: 0018-Kernel-HID-USB-multiple-CVEs.patch

Description
===========
CVE-2014-3181
Multiple stack-based buffer overflows in the magicmouse_raw_event
function in drivers/hid/hid-magicmouse.c in the Magic Mouse HID driver
in the Linux kernel through 3.16.3 allow physically proximate attackers
to cause a denial of service (system crash) or possibly execute
arbitrary code via a crafted device that provides a large amount of (1)
EHCI or (2) XHCI data associated
with an event.

CVE-2014-3182
Array index error in the logi_dj_raw_event function in
drivers/hid/hid-logitech-dj.c
in the Linux kernel before 3.16.2 allows physically proximate
attackers to execute arbitrary code or cause a denial of service
(invalid kfree) via a crafted device that provides a malformed
REPORT_TYPE_NOTIF_DEVICE_UNPAIRED value.

CVE-2014-3184
The report_fixup functions in the HID subsystem in the Linux kernel
before 3.16.2 might allow physically proximate attackers to cause a
denial of service (out-of-bounds write) via a crafted device that
provides a small report descriptor, related to (1)
drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3)
drivers/hid/hid-lg.c, (4)
drivers/hid/hid-monterey.c, (5) drivers/hid/hid-petalynx.c, and (6)
drivers/hid/hid-sunplus.c.

CVE-2014-3185
Multiple buffer overflows in the command_port_read_callback function in
drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial Driver in the
Linux kernel before 3.16.2 allow physically proximate attackers to
execute arbitrary code or cause a denial of service (memory corruption
and system crash) via a crafted device that provides a large amount of
(1) EHCI or (2) XHCI data associated with a bulk response.

References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3184
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3185

How to apply the patches
=========================
If you don't have installed the Enea Linux 4.0 Release:

# wget http://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
# tar zxvf Enea-Linux-4.0.tar.gz

If you have already installed the Enea Linux 4.0 Release:

# cd Enea-Linux-4.0/poky/meta-enea
# wget
http://linux.enea.com/4.0/patches/0018-Kernel-HID-USB-multiple-CVEs.patch
# patch -p1 < ./0018-Kernel-HID-USB-multiple-CVEs.patch


If you have any questions regarding the security patches and security
updates please contact security at enea.com.

ESRT (Enea Security Response Team)
Sona Sarmadi
Software Engineer/Security Responsible for Enea Linux
Mobile: +46 70 971 4475
www.enea.com

This message, including attachments, is CONFIDENTIAL. It may also be
privileged or otherwise protected by law. If you received this email
by mistake please let us know by reply and then delete it from your
system; you should not copy it or disclose its contents to anyone.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJUwJktAAoJEHc+9u9ocWoUzKUP/172iTzCl/sBd9JZFnzuH1e9
sNNzZsxQL/QnBXlEGeb6+oPmoeJ2DoDrrxSN5k4yffv/3e+5tR94jG/yRo2HJ8qj
InYSFbO2UnPTj8vT2bh+SZC7geWZcTB7pel2y4fBvfpmov+9SZ/aVKt+U8ti8Qxy
aX6xsE7rBowXR2TS+/aRepy8VoR0PB6dw95jiRDpeNyFF/7xmsqIhzf77USK2aiR
0BbAgMeZ00IXdiImyqaGu2MvO9uHpgbsDBuGfp+j+sXAj2PiXsPbzKptEs430iDm
X0JrVFH+eHwEFMT8RngpXMGz1eANAnUNxSBpTAy/TWoIAWpuLn+V0u7KtveBE2qI
qfhAN2Lf8ZpxlgIMliNy9le/+pzNHrjNnltr/24Y9NqjQDS/dkNup77KesVBna+9
iFStaz/L+qgYqQyl6LyYH95FePd7JlscTRaO5jG7JIAb+g6vcQ1CcrIufo3x6Q6c
XB9PSJUMNA7mVAsoE4tODDHNuiWrS3K32mceWobnK9DeoN4RPEGm4Uh8ScEK3Tif
FKsPt1xd8ZvoYcbAJR/OstK8brXXaC0B6tazf/x76IrQdCevPodPRmq7b5D41Sov
mx2wqzwixVDxXrCtky+TFxiaOiMSAnLIuPheHxBqZmT7rz8ZqhWob9gS1btPGDvN
XkW8is4CQbf3OV2QWAke
=OfLf
-----END PGP SIGNATURE-----



More information about the security-announce mailing list