Bug 1007690 (CVE-2013-4345)

Summary: CVE-2013-4345 kernel: ansi_cprng: off by one error in non-block size request
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agordeev, aquini, bhu, dhoward, esammons, fhrbata, iboverma, jkacur, jkurik, jross, kernel-mgr, lgoncalv, lwang, matt, mcressma, nhorman, nobody, plougher, rvrbovsk, security-response-team, sgrubb, smueller, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20130917,reported=20130913,source=researcher,cvss2=2.6/AV:L/AC:H/Au:N/C:P/I:P/A:N,rhel-5/kernel=affected,rhel-6/kernel=affected,mrg-2/realtime-kernel=affected,fedora-all/kernel=affected,rhel-7/kernel=notaffected,cwe=CWE-193[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1007692, 1007693, 1007694, 1009136, 1009137, 1009138, 1009139    
Bug Blocks: 1007699    

Description Petr Matousek 2013-09-13 03:04:13 EDT
A flaw was found in the way ansi cprng implementation in the Linux kernel processed non-block size aligned requests. If several small requests are made that are less than the instances block size, the remainder for loop code doesn't increment rand_data_valid in the last iteration, meaning that the last bytes in the rand_data buffer gets reused on the subsequent smaller-than-a-block request for random data.

Acknowledgements:

Red Hat would like to thank Stephan Mueller for reporting this issue.
Comment 4 Petr Matousek 2013-09-17 14:39:28 EDT
Proposed upstream patch:

http://marc.info/?l=linux-crypto-vger&m=137942122902845&w=2
Comment 5 Petr Matousek 2013-09-17 14:42:19 EDT
Statement:

This issue affects the versions of Linux kernel as shipped with Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2. Future kernel updates for Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2 may address this issue.
Comment 6 Petr Matousek 2013-09-17 14:43:47 EDT
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1009136]
Comment 9 Fedora Update System 2013-09-30 21:58:44 EDT
kernel-3.11.2-201.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2013-10-02 02:37:15 EDT
kernel-3.11.2-301.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2013-10-02 21:11:47 EDT
kernel-3.10.13-101.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 errata-xmlrpc 2013-10-22 13:34:26 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1449 https://rhn.redhat.com/errata/RHSA-2013-1449.html
Comment 13 errata-xmlrpc 2013-10-31 12:29:27 EDT
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2013:1490 https://rhn.redhat.com/errata/RHSA-2013-1490.html
Comment 14 errata-xmlrpc 2013-11-21 15:18:40 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1645 https://rhn.redhat.com/errata/RHSA-2013-1645.html
Comment 15 John Kacur 2014-02-06 12:54:01 EST
714b33d15130cbb5ab426456d4e3de842d6c5b8a upstream