-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2013-0048 Title: Linux kernel Vulnerabilities Version history: 22.05.2013 Initial publication Summary ======= A recently-discovered vulnerability in the Linux kernel allows a local user to escalate their privilege level and gain root access. Working exploit code is publicly available. All relevant Linux distributions have already published an updated kernel which fixes this vulnerability. An attacker can exploit these issues to execute arbitrary code with root privileges. Successfully exploiting may result in the complete compromise of the affected computers. CVE numbers: CVE-2013-2094 7.2 (HIGH) (AV:L/AC:L/Au:N/C:C/I:C/A:C) [1] Vulnerable systems ================== Linux kernels 2.6.36 through 3.8.8 (both including). Linux kernels 2.6.32 with Red Hat backports. Original Details ================ The performance measurement subsystem in the Linux kernel incorrectly casts a 64-bit integer into a 32-bit integer which is subsequently used for array dereferencing. Providing carefully chosen integers as input allows arbitrary code to be executed. What can you do? ================ Patching is vendor dependent, the issue has been addressed by CentOS, Debian, Red Hat, Scientific Linux, Scientific Linux/CERN and Ubuntu. Refer to your distribution's information channels in the more informacion section. What to tell your users? ======================== N/A More information ================ [1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2094 [2] http://lists.centos.org/pipermail/centos-announce/2013-May/019733.html [3] https://security-tracker.debian.org/tracker/CVE-2013-2094 [4] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2094 [5] https://rhn.redhat.com/errata/RHSA-2013-0830.html [6] http://linux.web.cern.ch/linux/updates/updates-slc6.shtml [7] http://people.canonical.com/~ubuntu-security/cve/CVE-2013-2094 CERT-EU (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJRnMtbAAoJEPpzpNLI8SVodkgP/3/v3zB7DQZeAil2ionjNFwD ibeRTBoIr3/ADaN4vVGZzVB/Yvyz8G1y8bISQRLbx3D4WhoejXxiE4WbFT93a4rc CHtbIkWFUqmE63QlZL8Ed5dkHDM1LwA3lkdVJOntP8i4N2tBTINlIVBFyUrEStjh Sv/C5qrhwBOqUdQhFy2oSuQDVsZ81Goa6OVqpdqJm3HGlKGqfazk5XwG3rB1RoBV DLebm3FExJnBjDU8/XQffnahXKW87EaubtYHR/nJgOXE4HPXMODpYfcfnIlhEPNx lHG6cbWMiBCuE9UB33a7QaHxFbfT6z1Th8eHnSUfJ6dvlIMbJ2OHgNM5a1ACQFDp g+23XqyAsdjsdf48IQCEaoENdKzSsowm/S22XjN7cQaj7NPGGSi1kRUOFMnocUgz X0MIbrQta6KY9VWn3iC9W+NSnP/1L3nNN4C4yf5vzUoMg/z1jzJ95AJfJArF2Gon EcbQZ9yEzby7mbwtA2VDd/gsFK56iBzDK+zu24BGxy+hfOZcybeN+s5DJdGEKiEJ BZBJon794InFsUNU5ntMxzR9tNj7XT16f5vMD0Ed+jH1BfUPu0kLjmTVkIgyZe/v NEFHnZC81uVCNx0vGgx/o7TZJ7YVjoPCqr1hh7DaN/fPskbmc3zbL32Ox+mdBayw PGc++ypO1LcyLxxiFb9V =cl/R -----END PGP SIGNATURE-----