User login
Qlustar: Install and enjoy!

[QSA - 0326131] Linux kernel vulnerability

Qlustar Security Advisory 0326131

March 26, 2013

Summary:

The system could be made to run programs as an administrator.


Package(s)       : linux-image-ql-server, linux-image-ql-beowulf
Affected versions: All versions prior to this update
Vulnerability    : privilege escalation/denial of service
Problem type     : local
Qlustar-specific : no
CVE Id(s)        : CVE-2013-0268, CVE-2013-0309, CVE-2013-1773

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2013-0268

A flaw was reported in the permission checks done by the Linux kernel for /dev/cpu/*/msr. A local root user with all capabilities dropped could exploit this flaw to execute code with full root capabilities.

CVE-2013-0309

A flaw was discovered in the Linux kernels handling of memory ranges with PROT_NONE when transparent hugepages are in use. An unprivileged local user could exploit this flaw to cause a denial of service (crash the system).

CVE-2013-1773

A flaw was discovered on the Linux kernel's VFAT filesystem driver when a disk is mounted with the utf8 option (this is the default on Ubuntu). On a system where disks/images can be auto-mounted or a FAT filesystem is mounted an unprivileged user can exploit the flaw to gain root privileges.

Update instructions:

The problem can be corrected by updating your system to the following package versions (follow the Qlustar Update Guide):

linux-image-ql-server                      2.6.32.60-ql-server-64
qlustar-module-core-precise-amd64-8.0.1    8.0.1-b419f807
glqxz9283 sfy39587stf02 mnesdcuix8
sfy39587stf03
sfy39587p08