[security-announce] Kernel-ALSA: Security update

Sona Sarmadi sona.sarmadi at enea.com
Fri Jan 30 09:06:14 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

          Enea Linux Security Advisory

=========================================================
Product/package: kernel-ALSA (FSL kernel: 3.8.11)
Severity: Moderate
Issue date: 2015-01-30
CVE Names: CVE-2014-4656
Layer: meta-enea
=========================================================
Handle numid overflow
Ensure that id->index does not overflow

README file: 0026-ALSA-CVE-2014-4656.README
Patch file: 0026-ALSA-CVE-2014-4656.patch

Description
===========
Multiple integer overflows in sound/core/control.c in the ALSA control
implementation in the Linux kernel before 3.15.2 allow local users to
cause a denial of service by leveraging /dev/snd/controlCX access,
related to (1) index values in the snd_ctl_add function and (2) numid
values in the snd_ctl_remove_numid_conflict function.

Reference
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4656

How to apply the patches
=======================
We recommend you to apply all existing relevant patches for your
release available at http://linux.enea.com/4.0/patches.

- - Preparation
Make sure that you have an installation of Enea Linux and have
applied existing patches in the right order

wget http://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
cd Enea-Linux-4.0/poky/
<Fetch and apply the existing patches >

- - Fetch and apply the new patch
cd Enea-Linux-4.0/poky/meta-enea
wget http://linux.enea.com/4.0/patches/0026-ALSA-CVE-2014-4656.patch
patch -p1 < ./0026-ALSA-CVE-2014-4656.patch

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Software Engineer/Security Responsible for Enea Linux
Mobile: +46 70 971 4475
www.enea.com

This message, including attachments, is CONFIDENTIAL. It may also be
privileged or otherwise protected by law. If you received this email
by mistake please let us know by reply and then delete it from your
system; you should not copy it or disclose its contents to anyone.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJUyzt2AAoJEHc+9u9ocWoUdv4P/0msjH2lylkIuOk2vPKyUzIh
voa+ZjbxVyH/riMd1v+45iPZz6IsxtaVZw/tsARx/foYbD6NhSIw+cznkrWPmn4u
CE/l5sopLQcc76FslWDXtEX60676sdj4LgkJVHnQ8qPEQdhT9yNIpaWXazB0bfx0
Hyp/VSGp/vw32N8z16NnH7z/7GTMn60AIK4fzBlWlplPXjEiAyKAVNPfEXNGMGl8
Fbp0OSxKJ4/0syHXmm3kLjkox2zuOmNuE043OKxY8SFcdGg1qpzEnneL/9xhUvCc
2PmaxVXL4rFLqr13K4GCQDNFuWZ3zi7aNdthGTincnPJr0MFxjgLnhmtUSMberqO
9xlJt36ZnyeA3WFNc1Cq7dUS/nK+2TdfZZAECmpOoe4D8U34sCYaupo8g/fCXy5j
KijLmpcOsmuPJwZNUY6yYu66MopUqOLdFtcouehrYHNvBaaxaWFIIRbGjJVT1Kyp
u9WIu3x72QbFNgifvgd6VFAGGWXUcA2BL3SHc7su381H/eTFEo/pASUNNmNauGaV
z2ThmZap6QYMQLmv00yPf2/G2A+9kXwIjs8FNHCfX9lGN4uE3fwgnvQhexBOzKH3
HQ9jUortz/Iu3nJU+DpJb27UCD9IeOAvD9pNmlnvWTom9uqSf7/ko8zgGVspPGXf
VzXXZJYuWhTGbmQjUiJO
=Zebp
-----END PGP SIGNATURE-----



More information about the security-announce mailing list