CVE-2014-3534 – kernel: s390: ptrace: insufficient sanitization when setting psw mask
https://notcve.org/view.php?id=CVE-2014-3534
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a crafted application that makes a ptrace system call. arch/s390/kernel/ptrace.c en el kernel de Linux anterior a 3.15.8 en el plataforma s390 no restringe debidamente las operaciones de control de la restricción del espacio para direcciones en las solicitudes PTRACE_POKEUSR_AREA, lo que permite a usuarios locales obtener el acceso a la lectura y la escritura en las localizaciones de la memoria del kernel, y como consecuencia ganar privilegios, a través de una aplicación que realiza una llamada al sistema ptrace. It was found that Linux kernel's ptrace subsystem did not properly sanitize the address-space-control bits when the program-status word (PSW) was being set. On IBM S/390 systems, a local, unprivileged user could use this flaw to set address-space-control bits to the kernel space, and thus gain read and write access to kernel memory. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=dab6cf55f81a6e16b8147aed9a843e1691dcd318 http://secunia.com/advisories/59790 http://secunia.com/advisories/60351 http://www.debian.org/security/2014/dsa-2992 http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.15.8 http://www.osvdb.org/109546 http://www.securityfocus.com/bid/68940 http://www.securitytracker.com/id/1030683 https://bugzilla.redhat.com/show_bug.cgi?id=1114089 https://excha • CWE-266: Incorrect Privilege Assignment CWE-269: Improper Privilege Management •
CVE-2014-4943 – Linux Kernel 3.15.6 - PPP-over-L2TP Socket Level Handling Crash (PoC)
https://notcve.org/view.php?id=CVE-2014-4943
The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket. La funcionalidad PPPoL2TP en net/l2tp/l2tp_ppp.c en el kernel de Linux hasta 3.15.6 permite a usuarios locales ganar privilegios mediante el aprovechamiento de diferencias de la estructura de datos entre un socket l2tp y un socket inet. A flaw was found in the way the pppol2tp_setsockopt() and pppol2tp_getsockopt() functions in the Linux kernel's PPP over L2TP implementation handled requests with a non-SOL_PPPOL2TP socket option level. A local, unprivileged user could use this flaw to escalate their privileges on the system. • https://www.exploit-db.com/exploits/36267 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=3cf521f7dc87c031617fd47e4b7aa2593c2f3daf http://linux.oracle.com/errata/ELSA-2014-0924.html http://linux.oracle.com/errata/ELSA-2014-3047.html http://linux.oracle.com/errata/ELSA-2014-3048.html http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00007.html http://lists.opensuse.org • CWE-269: Improper Privilege Management •
CVE-2014-4699 – Linux Kernel < 3.2.0-23 (Ubuntu 12.04 x64) - 'ptrace/sysret' Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2014-4699
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls. El kernel de Linux anterior a 3.15.4 en los procesadores Intel no restringe debidamente el uso de un valor no canónico para la dirección RIP guardada en el caso de una llamada del sistema que no utilice IRET, lo que permite a usuarios locales aprovechar una condición de carrera y ganar privilegios, o causar una denegación de servicio (fallo doble), a través de una aplicación manipulada que realice llamadas de sistemas ptrace y fork. It was found that the Linux kernel's ptrace subsystem allowed a traced process' instruction pointer to be set to a non-canonical memory address without forcing the non-sysret code path when returning to user space. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system. Note: The CVE-2014-4699 issue only affected systems using an Intel CPU. • https://www.exploit-db.com/exploits/34134 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a http://linux.oracle.com/errata/ELSA-2014-0924.html http://linux.oracle.com/errata/ELSA-2014-3047.html http://linux.oracle.com/errata/ELSA-2014-3048.html http://openwall.com/lists/oss-security/2014/07/05/4 http://openwall.com/lists/oss-security/2014/07/08/16 http://openwall.com/lists/oss-security/2014/07/08 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-642: External Control of Critical State Data •
CVE-2014-3532
https://notcve.org/view.php?id=CVE-2014-3532
dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux 2.6.37-rc4 or later, allows local users to cause a denial of service (system-bus disconnect of other services or applications) by sending a message containing a file descriptor, then exceeding the maximum recursion depth before the initial message is forwarded. dbus 1.3.0 anterior a 1.6.22 y 1.8.x anterior a 1.8.6, cuando funciona en Linux 2.6.37-rc4 o posteriores, permite a usuarios locales causar una denegación de servicio (desconexión del bus del sistema de otros servicios o aplicaciones) mediante el envío de un mensaje que contiene un descriptor de ficheros, y posteriormente el exceso en la profundidad máxima de recursión antes de enviar el mensaje inicial. • http://advisories.mageia.org/MGASA-2014-0294.html http://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html http://openwall.com/lists/oss-security/2014/07/02/4 http://secunia.com/advisories/59611 http://secunia.com/advisories/59798 http://secunia.com/advisories/60236 http://www.debian.org/security/2014/dsa-2971 http://www.mandriva.com/security/advisories?name=MDVSA-2015:176 http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html https://bugs.freedes • CWE-20: Improper Input Validation •
CVE-2014-4655 – Kernel: ALSA: control: use-after-free in replacing user controls
https://notcve.org/view.php?id=CVE-2014-4655
The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not properly maintain the user_ctl_count value, which allows local users to cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls. La función snd_ctl_elem_add en sound/core/control.c en la implementación del control ALSA en el kernel de Linux anterior a 3.15.2 no gestiona debidamente el valor user_ctl_count, lo que permite a usuarios locales causar una denegación de servicio (desbordamiento de enteros y evadir el limite) mediante el aprovechamiento de acceso /dev/snd/controlCX para un numero largo de llamadas SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl. A use-after-free flaw was found in the way the Linux kernel's Advanced Linux Sound Architecture (ALSA) implementation handled user controls. A local, privileged user could use this flaw to crash the system. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=82262a46627bebb0febcc26664746c25cef08563 http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00020.html http://rhn.redhat.com/errata/RHSA-2014-1083.html http://secunia.com/advisories/59434 http://secunia.com/advisories/59777 http://secunia.com/advisories/60545 http://secunia.com/advisories/60564 http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.15.2 http://www.openwall.com/lists/o • CWE-190: Integer Overflow or Wraparound CWE-416: Use After Free •