Description of the problem: On 32-bit systems, a large args->num_cliprects from userspace via ioctl may overflow the allocation size, leading to out-of-bounds access. References: http://www.openwall.com/lists/oss-security/2012/05/21/1 Upstream fix: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=44afb3a04391a74309d16180d1e4f8386fdfa745
FYI. This was fixed in 3.3.5 (stable commit 4a265435c87b19175c3906ff49ffe5bf4a4cc228). All Fedora branches are on that or newer already.
Sorry, that should have been stable commit 9f4660213e58b3b78dc75bf3e3b4126dbe9a0b14
Statement: This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG 2. This issue was addressed in Red Hat Enterprise Linux 6 via RHSA-2012:1304 https://rhn.redhat.com/errata/RHSA-2012-1304.html.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1304 https://rhn.redhat.com/errata/RHSA-2012-1304.html