Updated kernel packages that fix three security issues are now availablefor Red Hat Enterprise Linux 6.2 Extended Update Support.The Red Hat Security Response Team has rated this update as havingImportant security impact. Common Vulnerability Scoring System (CVSS) basescores, which give detailed severity ratings, are available for eachvulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linuxoperating system.* A flaw was found in the way the Linux kernel’s futex subsystem handledthe requeuing of certain Priority Inheritance (PI) futexes. A local,unprivileged user could use this flaw to escalate their privileges on thesystem. (CVE-2014-3153, Important)* A flaw was found in the way the Linux kernel’s floppy driver handled userspace provided data in certain error code paths while processing FDRAWCMDIOCTL commands. A local user with write access to /dev/fdX could use thisflaw to free (using the kfree() function) arbitrary kernel memory.(CVE-2014-1737, Important)* It was found that the Linux kernel’s floppy driver leaked internal kernelmemory addresses to user space during the processing of the FDRAWCMD IOCTLcommand. A local user with write access to /dev/fdX could use this flaw toobtain information about the kernel heap arrangement. (CVE-2014-1738, Low)Note: A local user with write access to /dev/fdX could use these two flaws(CVE-2014-1737 in combination with CVE-2014-1738) to escalate theirprivileges on the system.Red Hat would like to thank Kees Cook of Google for reportingCVE-2014-3153, and Matthew Daley for reporting CVE-2014-1737 andCVE-2014-1738. Google acknowledges Pinkie Pie as the original reporter ofCVE-2014-3153.All kernel users are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues. The system must berebooted for this update to take effect.
Before applying this update, make sure all previously released erratarelevant to your system have been applied.This update is available via the Red Hat Network. Details on how to use theRed Hat Network to apply this update are available athttps://access.redhat.com/site/articles/11258To install kernel packages manually, use “rpm -ivh [package]”. Do not use”rpm -Uvh” as that will remove the running kernel binaries from yoursystem. You may use “rpm -e” to remove old kernels after determining thatthe new kernel functions properly on your system.Red Hat Enterprise Linux Server AUS (v. 6.2)

    MD5: 70fa4cd2dd93574c02055202249b37d5SHA-256: ab7187076f1d04d3e825e880768fd06d791b6b2c4eb5d83d74467d027b64341c
    MD5: 4b9c40bae4bd1a7aaeef97c190afac8dSHA-256: 8eca379c32c24393042c73c8f8213817e1ed0cacf5acdbc49781acf3085ca065
    MD5: 9e7c48cc4ef117d0b531b97ec3ee7c97SHA-256: 7e60eb87c5eb91055af6f735bcfbfbe73c3ada76a3ef799a7b71d397ed64a3eb
    MD5: 774c4dc615618a3a46fc3a94b2bfb6fcSHA-256: 03114e7f38f6ab8986e69d7053f9517b234247f39fe027c213aafb2936ea7f97
    MD5: 59472acf1949ce8dd8ac249007be1229SHA-256: 623626ddac00b550123f10aba3b35d50367a24b708b9a106442867a6539c562f
    MD5: 44718c8ba21291a302e12c5a30fb6e93SHA-256: ba793e6122e141dd50833a9620015b3da514dc08a8fe128913be1c4504f3fa5e
    MD5: 6d93545bed4bdcb461c3a3d1fd012d08SHA-256: ff9dd319ceae6506efd1fe44d8c7aef5c605de30b2efe9f66c3970a200bb3ae9
    MD5: 5ddd1a1131f676dcdf975cb786631398SHA-256: 733d3573e71e7dbfdc15d32aed1e0e1d1fdd4d1d00499c5b61c04a3c003e6cd6
    MD5: a036dc015895d9aa9a3ddedb97fd452eSHA-256: 8549aa4dd828fc630ea0cb1db1d00bdd2715c155ff5ec15f61bc7511094e7142
    MD5: 7d8b45c7e107e1e768b9ae3e3cdf8025SHA-256: 327a5598a1412f9f5d2264913b1340bf5a0d5bea8b2c2a5aea82121ebd40c935
    MD5: feab751232b47fe32df33d5412f12d3aSHA-256: 3f6def277d43fd2622c5194a4172f9ec9fb5e75c1a7325c9c323d6adaa59afaa
    MD5: d1d5a646902fb9be7baa0efa49109203SHA-256: 72343fc8b1144a5147a040a3525e3d898e4e821a539e6d8bd300554d16bbfa86
    MD5: 0f4e21449ff039c7942707e477f27f9bSHA-256: b45c2fa61d200647cbb97d1f380465605617d7b86afc918f1471caf1aa926466
    MD5: ed9bcba9c72be383c162c51e50a62812SHA-256: 32df70c44d22cfa9e43dfed71e5cce81bdf753f97d31ac072cd7394bad1cb30d
    MD5: 591e568ca63757fc55d38145a13e2ab3SHA-256: 216237b49f9b77205dbcd80c09de846ea73b3675bcd9892031bdc27918ecc67e
(The unlinked packages above are only available from the Red Hat Network)
1094299 – CVE-2014-1737 CVE-2014-1738 kernel: block: floppy: privilege escalation via FDRAWCMD floppy ioctl command1103626 – CVE-2014-3153 kernel: futex: pi futexes requeue issue

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from:

Leave a Reply