The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

cybersecurity alert CVE-2014-4652 CVE-2014-4653 CVE-2014-4654

Linux kernel: multiple vulnerabilities of ALSA

Synthesis of the vulnerability

An attacker can use several vulnerabilities of ALSA of the Linux kernel.
Severity of this computer vulnerability: 2/4.
Number of vulnerabilities in this bulletin: 5.
Creation date: 24/06/2014.
Références of this announce: CERTFR-2014-AVI-373, CERTFR-2014-AVI-388, CERTFR-2014-AVI-416, CVE-2014-4652, CVE-2014-4653, CVE-2014-4654, CVE-2014-4655, CVE-2014-4656, MDVSA-2014:155, openSUSE-SU-2014:0957-1, openSUSE-SU-2014:0985-1, openSUSE-SU-2014:1246-1, RHSA-2014:1083-01, RHSA-2014:1392-01, RHSA-2014:1724-01, RHSA-2014:1971-01, RHSA-2015:0087-01, RHSA-2015:1272-01, SUSE-SU-2014:0908-1, SUSE-SU-2014:0909-1, SUSE-SU-2014:0910-1, SUSE-SU-2014:0911-1, SUSE-SU-2014:0912-1, SUSE-SU-2014:1105-1, SUSE-SU-2014:1138-1, SUSE-SU-2015:0812-1, USN-2332-1, USN-2333-1, USN-2334-1, USN-2335-1, USN-2336-1, USN-2337-1, VIGILANCE-VUL-14932.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in ALSA (Advanced Linux Sound Architecture).

An attacker can read a memory fragment, in order to obtain sensitive information. [severity:1/4; CVE-2014-4652]

An attacker can use a freed memory area, in order to trigger a denial of service, and possibly to execute code. [severity:2/4; CVE-2014-4654, CVE-2014-4655]

An attacker can use a freed memory area, in order to trigger a denial of service, and possibly to execute code. [severity:2/4; CVE-2014-4653]

An attacker can generate an integer overflow, in order to trigger a denial of service, and possibly to execute code. [severity:2/4; CVE-2014-4656]

An attacker can generate an integer overflow, in order to trigger a denial of service, and possibly to execute code. [severity:2/4; CVE-2014-4656]
Full Vigil@nce bulletin... (Free trial)

This weakness impacts software or systems such as Android OS, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this vulnerability announce is medium.

The trust level is of type confirmed by the editor, with an origin of user shell.

This bulletin is about 5 vulnerabilities.

An attacker with a expert ability can exploit this threat bulletin.

Solutions for this threat

Linux kernel: version 3.15.2.
The version 3.15.2 is fixed:
  https://www.kernel.org/pub/linux/kernel/v3.x/

Linux kernel: version 3.14.9.
The version 3.14.9 is fixed:
  https://www.kernel.org/pub/linux/kernel/v3.x/

Linux kernel: version 3.12.24.
The version 3.12.24 is fixed:
  https://www.kernel.org/pub/linux/kernel/v3.x/

Linux kernel: version 3.10.45.
The version 3.10.45 is fixed:
  https://www.kernel.org/pub/linux/kernel/v3.x/

Linux kernel: version 3.4.95.
The version 3.4.95 is fixed:
  https://www.kernel.org/pub/linux/kernel/v3.x/

Linux kernel: version 3.2.61.
The version 3.2.61 is fixed:
  https://www.kernel.org/pub/linux/kernel/v3.x/

Linux kernel: version 2.6.32.64.
The version 2.6.32.64 is fixed:
  https://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/

Linux kernel: version 2.6.32.65.
The version 2.6.32.65 is fixed:
  https://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/

Linux kernel: patch for ALSA.
A patch is available:
  https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=07f4d9d74a04aa7c72c5dae0ef97565f28f17b92
  https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=82262a46627bebb0febcc26664746c25cef08563
  https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=fd9f26e4eca5d08a27d12c0933fceef76ed9663d
  https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=ac902c112d90a89e59916f751c2745f4dbdbb4bd
  https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=883a1d49f0d77d30012f114b2e19fc141beb3e8e

Android OS: patch 2016-09-05.
A patch is indicated in information sources.

Android OS: patch 2017-04-01 and 2017-04-05.
A patch is indicated in information sources.

Mandriva: new kernel packages.
New packages are available, as indicated in information sources.

openSUSE 11.4: new kernel packages (29/09/2014).
New packages are available:
  openSUSE 11.4: kernel 3.0.101-91.1

openSUSE 12.3: new kernel packages (04/08/2014 ).
New packages are available:
  openSUSE 12.3: kernel 3.7.10-1.40.1

openSUSE 13.1: new kernel packages (11/08/2014).
New packages are available:
  openSUSE 13.1: kernel-vanilla 3.11.10-21.1, xen 4.3.2_01-21.1

Red Hat Enterprise MRG for RHEL-6: new kernel-rt packages.
New packages are available:
  RHEL 6: kernel-rt 3.10.33-rt32.45.el6rt

RHEL 6: new kernel packages (14/10/2014).
New packages are available:
  RHEL 6: kernel 2.6.32-504.el6

RHEL 6: new kernel packages (22/07/2015).
New packages are available:
  RHEL 6: kernel 2.6.32-573.el6

RHEL 6: new kernel packages (28/01/2015).
New packages are available:
  RHEL 6: kernel 2.6.32-504.8.1.el6

RHEL 7: new kernel packages (10/12/2014).
New packages are available:
  RHEL 7: kernel 3.10.0-123.13.1.el7

RHEL 7: new kernel packages (29/10/2014).
New packages are available:
  RHEL 7: kernel 3.10.0-123.9.2.el7

SUSE LE 10: new kernel packages (04/05/2015).
New packages are available:
  SUSE LE 10: kernel 2.6.16.60-0.132.1

SUSE LE 11: new kernel packages (17/07/2014).
New packages are available:
  SUSE LE 11: kernel 3.0.101-0.35.1

SUSE LE 11 SP1: new kernel packages.
New packages are available:
  SUSE LE 11: kernel 2.6.32.59-0.15.2

SUSE LE 11 SP2: new kernel packages.
New packages are available:
  SUSE LE 11: kernel 3.0.101-0.7.23.1

SUSE LE RT 11: new kernel-rt packages.
New packages are available:
  SUSE LE 11: kernel-rt 3.0.101.rt130-0.24.1

Ubuntu 10.04: new linux-image-2.6.32-369-ec2 packages.
New packages are available:
  Ubuntu 10.04 LTS: linux-image-2.6.32-369-ec2 2.6.32-369.85

Ubuntu 10.04: new linux-image-2.6.32-65-generic packages.
New packages are available:
  Ubuntu 10.04 LTS: linux-image-2.6.32-65-generic 2.6.32-65.131

Ubuntu 12.04: new linux-image-3.13.0-35-generic packages.
New packages are available:
  Ubuntu 12.04 LTS: linux-image-3.13.0-35-generic 3.13.0-35.62~precise1

Ubuntu 12.04: new linux-image-3.2.0-1452-omap4 packages.
New packages are available:
  Ubuntu 12.04 LTS: linux-image-3.2.0-1452-omap4 3.2.0-1452.72

Ubuntu 12.04: new linux-image-3.2.0-68-generic packages.
New packages are available:
  Ubuntu 12.04 LTS: linux-image-3.2.0-68-generic 3.2.0-68.102

Ubuntu 14.04: new linux-image-3.13.0-35-generic packages.
New packages are available:
  Ubuntu 14.04 LTS: linux-image-3.13.0-35-generic 3.13.0-35.62
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a computer vulnerability alert. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.