{ "threat_severity" : "Important", "public_date" : "2014-05-07T00:00:00Z", "bugzilla" : { "description" : "kernel: block: floppy: privilege escalation via FDRAWCMD floppy ioctl command", "id" : "1094299", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1094299" }, "cvss" : { "cvss_base_score" : "6.6", "cvss_scoring_vector" : "AV:L/AC:M/Au:S/C:C/I:C/A:C", "status" : "verified" }, "details" : [ "The raw_cmd_copyout function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly restrict access to certain pointers during processing of an FDRAWCMD ioctl call, which allows local users to obtain sensitive information from kernel heap memory by leveraging write access to a /dev/fd device.", "A flaw was found in the way the Linux kernel's floppy driver handled user space provided data in certain error code paths while processing FDRAWCMD IOCTL commands. A local user with write access to /dev/fdX could use this flaw to free (using the kfree() function) arbitrary kernel memory. (CVE-2014-1737, Important)\nIt was found that the Linux kernel's floppy driver leaked internal kernel memory addresses to user space during the processing of the FDRAWCMD IOCTL command. A local user with write access to /dev/fdX could use this flaw to obtain information about the kernel heap arrangement. (CVE-2014-1738, Low)\nNote: A local user with write access to /dev/fdX could use these two flaws (CVE-2014-1737 in combination with CVE-2014-1738) to escalate their privileges on the system." ], "acknowledgement" : "Red Hat would like to thank Matthew Daley for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 5", "release_date" : "2014-06-10T00:00:00Z", "advisory" : "RHSA-2014:0740", "cpe" : "cpe:/o:redhat:enterprise_linux:5", "package" : "kernel-0:2.6.18-371.9.1.el5" }, { "product_name" : "Red Hat Enterprise Linux 5.6 Long Life", "release_date" : "2014-06-26T00:00:00Z", "advisory" : "RHSA-2014:0801", "cpe" : "cpe:/o:redhat:rhel_mission_critical:5.6", "package" : "kernel-0:2.6.18-238.53.1.el5" }, { "product_name" : "Red Hat Enterprise Linux 5.9 Extended Update Support", "release_date" : "2014-06-19T00:00:00Z", "advisory" : "RHSA-2014:0772", "cpe" : "cpe:/o:redhat:rhel_eus:5.9", "package" : "kernel-0:2.6.18-348.27.1.el5" }, { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2014-06-19T00:00:00Z", "advisory" : "RHSA-2014:0771", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "kernel-0:2.6.32-431.20.3.el6" }, { "product_name" : "Red Hat Enterprise Linux 6.2 Advanced Update Support", "release_date" : "2014-06-26T00:00:00Z", "advisory" : "RHSA-2014:0800", "cpe" : "cpe:/o:redhat:rhel_mission_critical:6.2", "package" : "kernel-0:2.6.32-220.52.1.el6" }, { "product_name" : "Red Hat Enterprise Linux 6.4 Extended Update Support", "release_date" : "2014-07-17T00:00:00Z", "advisory" : "RHSA-2014:0900", "cpe" : "cpe:/o:redhat:rhel_eus:6.4", "package" : "kernel-0:2.6.32-358.46.1.el6" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2014-06-24T00:00:00Z", "advisory" : "RHSA-2014:0786", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "kernel-0:3.10.0-123.4.2.el7" }, { "product_name" : "Red Hat Enterprise MRG 2", "release_date" : "2014-05-27T00:00:00Z", "advisory" : "RHSA-2014:0557", "cpe" : "cpe:/a:redhat:enterprise_mrg:2:server:el6", "package" : "kernel-rt-0:3.10.33-rt32.34.el6rt" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux Extended Update Support 5.6", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:rhel_eus:5.6" }, { "product_name" : "Red Hat Enterprise Linux Extended Update Support 6.3", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:rhel_eus:6.3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-1738\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-1738" ], "name" : "CVE-2014-1738", "csaw" : false }