Bug 1035875 (CVE-2013-7263, CVE-2013-7264, CVE-2013-7265, CVE-2013-7281) - CVE-2013-7263 CVE-2013-7265 Kernel: net: leakage of uninitialized memory to user-space via recv syscalls
Summary: CVE-2013-7263 CVE-2013-7265 Kernel: net: leakage of uninitialized memory to u...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-7263, CVE-2013-7264, CVE-2013-7265, CVE-2013-7281
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1035880 1035881 1035882 1035883 1035884 1035885 1035886 1035887
Blocks: 1032009
TreeView+ depends on / blocked
 
Reported: 2013-11-28 17:35 UTC by Prasad Pandit
Modified: 2019-09-29 13:10 UTC (History)
29 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-04-28 17:40:49 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0159 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2014-02-11 23:15:53 UTC
Red Hat Product Errata RHSA-2014:0285 0 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2014-03-12 22:28:54 UTC
Red Hat Product Errata RHSA-2014:0439 0 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2014-04-28 20:43:50 UTC

Description Prasad Pandit 2013-11-28 17:35:49 UTC
Linux kernel built with the networking support(CONFIG_NET), is vulnerable to a
memory leakage flaw. It occurs while doing the recvmsg(2), recvfrom(2),
recvmmsg(2) socket calls.

A user/program could use this flaw to leak kernel memory bytes.

Upstream fix:
-------------
 -> https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=bceaa90240b6019ed73b49965eac7d167610be69

 -> https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=85fbaa75037d0b6b786ff18658ddf0b4014ce2a4


Original 'CVE-2013-6405' assigned to this issue has been rejected and the following 4 have been assigned for the same:

   - CVE-2013-7263 (net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c,
                    net/ipv6/raw.c, and net/ipv6/udp.c),
   - CVE-2013-7264 (net/l2tp/l2tp_ip.c),
   - CVE-2013-7265 (net/phonet/datagram.c)
   - CVE-2013-7281 (net/ieee802154/dgram.c)

===
Name: CVE-2013-6405

** REJECT **

DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2013-7263,
CVE-2013-7264, CVE-2013-7265. Reason: This candidate is a duplicate
of CVE-2013-7263, CVE-2013-7264, and CVE-2013-7265. Notes: All CVE
users should reference CVE-2013-7263, CVE-2013-7264, and/or
CVE-2013-7265 instead of this candidate. All references and
descriptions in this candidate have been removed to prevent accidental
usage.
===

Comment 1 Prasad Pandit 2013-11-28 17:59:58 UTC
Statement CVE-2013-7263:

(none)


Statement CVE-2013-7264:

This issue does not affect the versions of the kernel package as shipped with
Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2.


Statement CVE-2013-7265:

This issue does not affect the version of the kernel package as shipped with
Red Hat Enterprise Linux 5.


Statement CVE-2013-7281:

This issue does not affect the versions of the kernel package as shipped with
Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2.

Comment 4 Prasad Pandit 2013-11-28 18:10:29 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1035887]

Comment 7 Fedora Update System 2013-12-07 06:58:04 UTC
kernel-3.11.10-200.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2013-12-10 06:15:56 UTC
kernel-3.11.10-100.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2013-12-10 06:55:02 UTC
kernel-3.11.10-301.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2013-12-21 02:14:50 UTC
kernel-3.12.5-200.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2013-12-21 02:24:39 UTC
kernel-3.12.5-302.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Vincent Danen 2014-01-08 20:30:59 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-7281 to
the following vulnerability:

Name: CVE-2013-7281
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7281
Assigned: 20140108
Reference: http://www.openwall.com/lists/oss-security/2013/11/28/13
Reference: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=bceaa90240b6019ed73b49965eac7d167610be69
Reference: http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.4
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1035875
Reference: https://github.com/torvalds/linux/commit/bceaa90240b6019ed73b49965eac7d167610be69

The dgram_recvmsg function in net/ieee802154/dgram.c in the Linux
kernel before 3.12.4 updates a certain length value without ensuring
that an associated data structure has been initialized, which allows
local users to obtain sensitive information from kernel stack memory
via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.

Comment 14 errata-xmlrpc 2014-02-11 18:16:42 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0159 https://rhn.redhat.com/errata/RHSA-2014-0159.html

Comment 15 errata-xmlrpc 2014-03-12 18:30:32 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0285 https://rhn.redhat.com/errata/RHSA-2014-0285.html

Comment 16 errata-xmlrpc 2014-04-28 16:53:07 UTC
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2014:0439 https://rhn.redhat.com/errata/RHSA-2014-0439.html


Note You need to log in before you can comment on or make changes to this bug.