CVE-2014-3186 – Kernel: HID: memory corruption via OOB write
https://notcve.org/view.php?id=CVE-2014-3186
Buffer overflow in the picolcd_raw_event function in devices/hid/hid-picolcd_core.c in the PicoLCD HID device driver in the Linux kernel through 3.16.3, as used in Android on Nexus 7 devices, allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that sends a large report. Desbordamiento de buffer en la función picolcd_raw_event en devices/hid/hid-picolcd_core.c en el controlador de dispositivos PicoLCD HID en el kernel de Linux hasta 3.16.3, utilizado en Android en los dispositivos Nexus 7, permite a atacantes físicamente próximos causar una denegación de servicio (caída del sistema) o posiblemente ejecutar código arbitrario a través de un dispositivo manipulado que envía un informe grande. A buffer overflow flaw was found in the way the Minibox PicoLCD driver handled Human Interface Device (HID) reports with an invalid size. An attacker with physical access to the system could use this flaw to crash the system or, potentially, escalate their privileges on the system. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=844817e47eef14141cf59b8d5ac08dd11c0a9189 http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00025.html http://www.openwall.com/lists/oss-security/2014/09/11/22 http://www.securityfocus.com/bid/69763 http://www.ubuntu.com/usn/USN-2376-1 http://www.ubuntu.com/usn/USN-2377-1 http://www.ubuntu.com/usn/USN-2378- • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •
CVE-2014-3181 – Kernel: HID: OOB write in magicmouse driver
https://notcve.org/view.php?id=CVE-2014-3181
Multiple stack-based buffer overflows in the magicmouse_raw_event function in drivers/hid/hid-magicmouse.c in the Magic Mouse HID driver in the Linux kernel through 3.16.3 allow physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with an event. Múltiples desbordamientos de buffer basado en pila en la función magicmouse_raw_event en drivers/hid/hid-magicmouse.c en el controlador Magic Mouse HID en el kernel de Linux hasta 3.16.3 permiten a atacantes físicamente próximos causar una denegación de servicio (caída del sistema) o posiblemente ejecutar código arbitrario a través de un dispositivo que proporciona una cantidad grande de datos (1) EHCI o (2) XHCI asociados con un evento. An out-of-bounds write flaw was found in the way the Apple Magic Mouse/Trackpad multi-touch driver handled Human Interface Device (HID) reports with an invalid size. An attacker with physical access to the system could use this flaw to crash the system or, potentially, escalate their privileges on the system. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=c54def7bd64d7c0b6993336abcffb8444795bf38 http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00025.html http://rhn.redhat.com/errata/RHSA-2014-1318.html http://www.openwall.com/lists/oss-security/2014/09/11/21 http://www.securityfocus.com/bid/69779 http://www.ubuntu.com/usn/USN-2376-1 http://www.ubuntu.com/usn/ • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •
CVE-2014-7145 – Kernel: cifs: NULL pointer dereference in SMB2_tcon
https://notcve.org/view.php?id=CVE-2014-7145
The SMB2_tcon function in fs/cifs/smb2pdu.c in the Linux kernel before 3.16.3 allows remote CIFS servers to cause a denial of service (NULL pointer dereference and client system crash) or possibly have unspecified other impact by deleting the IPC$ share during resolution of DFS referrals. La función SMB2_tcon en fs/cifs/smb2pdu.c en el kernel de Linux anterior a 3.16.3 permite a servidores remotos CIFS causar una denegación de servicio (referencia a puntero nulo y caída del sistema cliente) o posiblemente tener otro impacto no especificado mediante la eliminación de el compartido IPC$ durante la resolución de las referencias DFS. A NULL pointer dereference flaw was found in the way the Linux kernel's Common Internet File System (CIFS) implementation handled mounting of file system shares. A remote attacker could use this flaw to crash a client system that would mount a file system share from a malicious server. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=18f39e7be0121317550d03e267e3ebd4dbfbb3ce http://rhn.redhat.com/errata/RHSA-2015-0102.html http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.3 http://www.openwall.com/lists/oss-security/2014/09/22/4 http://www.securityfocus.com/bid/69867 http://www.ubuntu.com/usn/USN-2394-1 https://github.com/torvalds/linux/commit/18f39e7be0121317550d03e267e3ebd4dbfbb3ce https://access.redhat.com/security/cve& • CWE-399: Resource Management Errors CWE-476: NULL Pointer Dereference •
CVE-2014-3184 – Kernel: HID: off by one error in various _report_fixup routines
https://notcve.org/view.php?id=CVE-2014-3184
The report_fixup functions in the HID subsystem in the Linux kernel before 3.16.2 might allow physically proximate attackers to cause a denial of service (out-of-bounds write) via a crafted device that provides a small report descriptor, related to (1) drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3) drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c, (5) drivers/hid/hid-petalynx.c, and (6) drivers/hid/hid-sunplus.c. Las funciones report_fixup en el subsistema HID en el kernel de Linux anterior a 3.16.2 podrían permitir a atacantes físicamente próximos causar una denegación de servicio (escritura fuera de rango) a través de un dispositivo manipulado que proporciona un descriptor de informes pequeño, relacionado con (1) drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3) drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c, (5) drivers/hid/hid-petalynx.c, y (6) drivers/hid/hid-sunplus.c. Multiple out-of-bounds write flaws were found in the way the Cherry Cymotion keyboard driver, KYE/Genius device drivers, Logitech device drivers, Monterey Genius KB29E keyboard driver, Petalynx Maxter remote control driver, and Sunplus wireless desktop driver handled HID reports with an invalid report descriptor size. An attacker with physical access to the system could use either of these flaws to write data past an allocated memory buffer. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=4ab25786c87eb20857bbb715c3ae34ec8fd6a214 http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00025.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00020.html http://rhn.redhat.com/errata/RHSA-2014-1318.html http://rhn.redhat.com/errata/RHSA • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-193: Off-by-one Error •
CVE-2014-3182 – Kernel: HID: logitech-dj OOB array access
https://notcve.org/view.php?id=CVE-2014-3182
Array index error in the logi_dj_raw_event function in drivers/hid/hid-logitech-dj.c in the Linux kernel before 3.16.2 allows physically proximate attackers to execute arbitrary code or cause a denial of service (invalid kfree) via a crafted device that provides a malformed REPORT_TYPE_NOTIF_DEVICE_UNPAIRED value. Error en el indice del arry en la función logi_dj_raw_event en drivers/hid/hid-logitech-dj.c en el kernel de Linux anterior a 3.16.2 permite a atacantes físicamente próximos ejecutar código arbitrario o causar una denegación de servicio (kfree inválido) a través de un dispositivo manipulado que proporciona un valor REPORT_TYPE_NOTIF_DEVICE_UNPAIRED malformado. An out-of-bounds read flaw was found in the way the Logitech Unifying receiver driver handled HID reports with an invalid device_index value. An attacker with physical access to the system could use this flaw to crash the system or, potentially, escalate their privileges on the system. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 http://rhn.redhat.com/errata/RHSA-2014-1318.html http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.2 http://www.openwall.com/lists/oss-security/2014/09/11/21 http://www.securityfocus.com/bid/69770 https://bugzilla.redhat.com/show_bug.cgi?id=1141210 https://code.google.com/p/google-security-research/issues/detail?id=89 https://github.com/t • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •