Bug 918512 (CVE-2013-2546, CVE-2013-2547, CVE-2013-2548) - kernel: crypto: info leaks in report API
Summary: kernel: crypto: info leaks in report API
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-2546, CVE-2013-2547, CVE-2013-2548
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 918519 918520 918521
Blocks: 918391
TreeView+ depends on / blocked
 
Reported: 2013-03-06 12:33 UTC by Prasad Pandit
Modified: 2021-02-17 07:58 UTC (History)
26 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-10 05:40:59 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0829 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2013-05-20 20:47:02 UTC

Description Prasad Pandit 2013-03-06 12:33:35 UTC
Linux kernels built with crypto user APIs are vulnerable to the information
disclosure flaw. It occurs when user calls the `crypto_*_report' APIs via
netlink based crypto API interface.

1) CVE-2013-2546: Structures used for the netlink based crypto report API are
located on the stack. Uninitialised kernel memory bytes from these structures
are leaked, as `snprintf' does not fill the remainder of the buffer with
zero(NULL) bytes.

2) CVE-2013-2547: routine `crypto_report_one' does not initialize all fields of
a structure `struct crypto_user_alg'. Thus, uninitialised heap memory bytes are
leaked to the user space.

3) CVE-2013-2548: while copying kernel module name, we should copy only as many
bytes as module_name() returns and not as much as the destination buffer could
hold. But the current code copies uninitialised data from behind the end of the
module name, as the module name is always shorter than CRYPTO_MAX_ALG_NAME, thus
leaking kernel memory bytes.

A privileged user/program (CAP_NET_ADMIN) could use this flaw to read kernel
memory area.

Upstream fix:
-------------
 -> https://git.kernel.org/linus/9a5467bf7b6e9e02ec9c3da4e23747c05faeaac6

Comment 1 Prasad Pandit 2013-03-06 12:48:54 UTC
Statement:

These issues do not affect the versions of the kernel package as shipped with
Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6. 

These issues do affect the version of Linux kernel as shipped with Red Hat
Enterprise MRG 2. Future kernel updates for Red Hat Enterprise MRG 2 may address
this issue.

Comment 3 Prasad Pandit 2013-03-06 13:00:17 UTC
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 918521]

Comment 4 Fedora Update System 2013-03-11 01:24:06 UTC
kernel-3.8.2-206.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2013-03-22 00:19:46 UTC
kernel-3.8.3-103.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 errata-xmlrpc 2013-05-20 16:50:06 UTC
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2013:0829 https://rhn.redhat.com/errata/RHSA-2013-0829.html


Note You need to log in before you can comment on or make changes to this bug.