A flaw was found in the way the Linux kernel’s floppy driver handled user space provided data in certain error code paths while processing FDRAWCMD IOCTL commands. A local user with write access to /dev/fdX could use this flaw to free (using the kfree() function) arbitrary kernel memory.
git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ef87dbe7614341c2e7bfe8d32fcb7028cc97442c
linux.oracle.com/errata/ELSA-2014-0771.html
linux.oracle.com/errata/ELSA-2014-3043.html
lists.opensuse.org/opensuse-security-announce/2014-05/msg00007.html
lists.opensuse.org/opensuse-security-announce/2014-05/msg00012.html
rhn.redhat.com/errata/RHSA-2014-0800.html
rhn.redhat.com/errata/RHSA-2014-0801.html
secunia.com/advisories/59262
secunia.com/advisories/59309
secunia.com/advisories/59406
secunia.com/advisories/59599
www.debian.org/security/2014/dsa-2926
www.debian.org/security/2014/dsa-2928
www.openwall.com/lists/oss-security/2014/05/09/2
www.securityfocus.com/bid/67300
www.securitytracker.com/id/1030474
access.redhat.com/security/updates/classification/#important
bugzilla.redhat.com/show_bug.cgi?id=1094299
github.com/torvalds/linux/commit/ef87dbe7614341c2e7bfe8d32fcb7028cc97442c
rhn.redhat.com/errata/RHSA-2014-0557.html