Bug 177916 - CVE-2006-0035 kernel issues (CVE-2006-0036 CVE-2006-0037 CVE-2006-0095)
CVE-2006-0035 kernel issues (CVE-2006-0036 CVE-2006-0037 CVE-2006-0095)
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Dave Jones
Brian Brock
: Security
Depends On:
  Show dependency treegraph
Reported: 2006-01-16 08:07 EST by Mark J. Cox (Product Security)
Modified: 2015-01-04 17:24 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-01-19 01:08:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2006-01-16 08:07:55 EST
These issues look still present as of FC5test2

CVE-2006-0095 dm-crypt key leak
        dm-crypt in Linux kernel 2.6.15 and earlier does not clear a
        structure before it is freed, which leads to a memory
        disclosure that could allow local users to obtain sensitive
        information about a cryptographic key.

CVE-2006-0037 Netfilter local crash

CVE-2006-0036 Netfilter remote crash

CVE-2006-0035 netlink DoS
Comment 1 Dave Jones 2006-01-17 01:44:05 EST
If its in Linus' tree, it's in rawhide.

marc.theaimsgroup seems to be down right now, so I can't check the first one.
Comment 2 Dave Jones 2006-01-19 01:08:45 EST
still can't get to that url, but Jan 6th, this got merged..

Subject: [PATCH] dm-crypt: zero key before freeing it

which sounds like the same problem, so I'm closing this, as Linus tree has all
these, and rawhide is based on -git of the day right now.

Comment 3 Mark J. Cox (Product Security) 2006-01-19 03:39:14 EST
both the marc urls work for me, this is the plaintext paste from that URL

dm-crypt should clear struct crypt_config before freeing it to
avoid information leak f.e. to a swsusp image.

Signed-off-by: Stefan Rompf <stefan@loplof.de>
Acked-by: Clemens Fruhwirth <clemens@endorphin.org>

--- linux-2.6.15/drivers/md/dm-crypt.c.orig	2006-01-04 01:01:16.000000000 +0100
+++ linux-2.6.15/drivers/md/dm-crypt.c	2006-01-04 22:35:13.000000000 +0100
@@ -690,6 +690,8 @@
+	/* Zero key material before free to avoid information leak */
+	memset(cc, 0, sizeof(*cc) + cc->key_size * sizeof(u8));
 	return -EINVAL;
@@ -706,6 +708,9 @@
 	dm_put_device(ti, cc->dev);
+	/* Zero key material before free to avoid information leak */
+	memset(cc, 0, sizeof(*cc) + cc->key_size * sizeof(u8));
This matches your comment #2 and therefore it is fixed upstream.
Comment 4 Mark J. Cox (Product Security) 2006-02-20 07:41:18 EST
all confirmed fixed test3

Note You need to log in before you can comment on or make changes to this bug.