Bug 1035875 - (CVE-2013-7263, CVE-2013-7264, CVE-2013-7265, CVE-2013-7281) CVE-2013-7263 CVE-2013-7265 Kernel: net: leakage of uninitialized memory to user-space via recv syscalls
CVE-2013-7263 CVE-2013-7265 Kernel: net: leakage of uninitialized memory to u...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20131118,reported=2...
: Security
Depends On: 1035880 1035881 1035882 1035883 1035884 1035885 1035886 1035887
Blocks: 1032009
  Show dependency treegraph
 
Reported: 2013-11-28 12:35 EST by Prasad J Pandit
Modified: 2015-10-15 14:07 EDT (History)
29 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-04-28 13:40:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Prasad J Pandit 2013-11-28 12:35:49 EST
Linux kernel built with the networking support(CONFIG_NET), is vulnerable to a
memory leakage flaw. It occurs while doing the recvmsg(2), recvfrom(2),
recvmmsg(2) socket calls.

A user/program could use this flaw to leak kernel memory bytes.

Upstream fix:
-------------
 -> https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=bceaa90240b6019ed73b49965eac7d167610be69

 -> https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=85fbaa75037d0b6b786ff18658ddf0b4014ce2a4


Original 'CVE-2013-6405' assigned to this issue has been rejected and the following 4 have been assigned for the same:

   - CVE-2013-7263 (net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c,
                    net/ipv6/raw.c, and net/ipv6/udp.c),
   - CVE-2013-7264 (net/l2tp/l2tp_ip.c),
   - CVE-2013-7265 (net/phonet/datagram.c)
   - CVE-2013-7281 (net/ieee802154/dgram.c)

===
Name: CVE-2013-6405

** REJECT **

DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2013-7263,
CVE-2013-7264, CVE-2013-7265. Reason: This candidate is a duplicate
of CVE-2013-7263, CVE-2013-7264, and CVE-2013-7265. Notes: All CVE
users should reference CVE-2013-7263, CVE-2013-7264, and/or
CVE-2013-7265 instead of this candidate. All references and
descriptions in this candidate have been removed to prevent accidental
usage.
===
Comment 1 Prasad J Pandit 2013-11-28 12:59:58 EST
Statement CVE-2013-7263:

(none)


Statement CVE-2013-7264:

This issue does not affect the versions of the kernel package as shipped with
Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2.


Statement CVE-2013-7265:

This issue does not affect the version of the kernel package as shipped with
Red Hat Enterprise Linux 5.


Statement CVE-2013-7281:

This issue does not affect the versions of the kernel package as shipped with
Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2.
Comment 4 Prasad J Pandit 2013-11-28 13:10:29 EST
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1035887]
Comment 7 Fedora Update System 2013-12-07 01:58:04 EST
kernel-3.11.10-200.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2013-12-10 01:15:56 EST
kernel-3.11.10-100.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2013-12-10 01:55:02 EST
kernel-3.11.10-301.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2013-12-20 21:14:50 EST
kernel-3.12.5-200.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2013-12-20 21:24:39 EST
kernel-3.12.5-302.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Vincent Danen 2014-01-08 15:30:59 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-7281 to
the following vulnerability:

Name: CVE-2013-7281
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7281
Assigned: 20140108
Reference: http://www.openwall.com/lists/oss-security/2013/11/28/13
Reference: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=bceaa90240b6019ed73b49965eac7d167610be69
Reference: http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.4
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1035875
Reference: https://github.com/torvalds/linux/commit/bceaa90240b6019ed73b49965eac7d167610be69

The dgram_recvmsg function in net/ieee802154/dgram.c in the Linux
kernel before 3.12.4 updates a certain length value without ensuring
that an associated data structure has been initialized, which allows
local users to obtain sensitive information from kernel stack memory
via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.
Comment 14 errata-xmlrpc 2014-02-11 13:16:42 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0159 https://rhn.redhat.com/errata/RHSA-2014-0159.html
Comment 15 errata-xmlrpc 2014-03-12 14:30:32 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0285 https://rhn.redhat.com/errata/RHSA-2014-0285.html
Comment 16 errata-xmlrpc 2014-04-28 12:53:07 EDT
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2014:0439 https://rhn.redhat.com/errata/RHSA-2014-0439.html

Note You need to log in before you can comment on or make changes to this bug.