June Linux kernel vulnerability: futex subsystem. The possibility of local privilege escalation. CVE-2014-3153

Summer began hot. Most recently, we fixed CVE-2014-0196, which allows getting a local root, as another similar local vulnerability is on the way: CVE-2014-3153. And although there is no public exploit for now, all current kernel versions are affected: from 2.6.32 to 3.14.5.
Note for Gentushnikov: unlike CVE-2014-0196, hardened cores are also affected.

Here is the translation of the original information letter from the mailing list:

Pinkie Pie (as I understand it, some kind of strong security researcher is hiding under the nickname of the character from My Little Pony - translator's note ) discovered a problem in the futex subsystem, which allows a local user to gain control of ring 0 through the futex system call. An unprivileged user can use this vulnerability to crash the kernel (leading to a denial of service (DoS)) or privilege escalation.

The initial patch that fixes the vulnerability.

Updates are available for all stable kernel branches.
')
As they say, the vulnerability is especially “good” in that the futex subsystem is available in all the sandboxes in linux, which are used, for example, by Chromium, Tor and OpenSSH.

Update colleagues, do not wait for the appearance of an exploit.

Bug in gentoo . Revised versions: sys-kernel / gentoo-sources- {3.10.41,3.12.21} -r1, hardened-sources-3.14.5-r2, hardened-sources-3.2.59-r5

Debian wheezy has been fixed . Corrected version: 3.2.57-3 + deb7u2. The fix for other versions of debian will be available later.

In ubuntu fixed . For trusty version 3.13.0-29.53.

Arch Linux slows down .