Bug 922039 (CVE-2012-6536)

Summary: CVE-2012-6536 Kernel: xfrm_user: ensure user supplied esn replay window is valid
Product: [Other] Security Response Reporter: Prasad Pandit <ppandit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agordeev, anton, bhu, davej, dhoward, esammons, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, jonathan, jwboyer, kernel-maint, kernel-mgr, lgoncalv, lwang, madhu.chinakonda, mcressma, plougher, rt-maint, rvrbovsk, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-09 18:15:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 858947    

Description Prasad Pandit 2013-03-15 12:56:37 UTC
Linux kernel built with XFRM framework support is vulnerable to a memory
leakage flaw. It occurs when a user creates a new state or updates an
existing one but does not supply the bytes for the whole ESN replay window
and the kernel copies heap bytes into the replay bitmap follow the
XFRMA_REPLAY_ESN_VAL netlink attribute.

A privileged(CAP_NET_ADMIN) user could use this flaw to leak up to ~3.5kB of
kernel heap memory.

Upstream fix
 -> https://git.kernel.org/linus/ecd7918745234e423dd87fcc0c077da557909720

 -> http://www.openwall.com/lists/oss-security/2013/03/14/21

Comment 1 Prasad Pandit 2013-03-15 13:00:00 UTC

This issue does not affect the versions of the kernel package as shipped with
Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2.