The module parameter "fwpostfix" is userspace controllable, unfiltered, and is used to define the firmware filename. b43_do_request_fw() populates ctx->errors[] on error, containing the firmware filename. b43err() parses its arguments as a format string. For systems with b43 hardware, this could lead to a uid-0 to ring-0 escalation. Acknowledgements: Red Hat would like to thank Kees Cook for reporting this issue.
Statement: This issue does not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5. This issue does affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 6, and Red Hat Enterprise MRG. Future updates for Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG may address this issue.
Created kernel tracking bugs for this issue Affects: fedora-all [bug 971665]
Upstream patch: http://git.kernel.org/cgit/linux/kernel/git/linville/wireless.git/commit/?id=9538cbaab6e8b8046039b4b2eb6c9d614dc782bd
kernel-3.9.5-201.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
kernel-3.9.5-301.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
kernel-3.9.8-100.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2013:1080 https://rhn.redhat.com/errata/RHSA-2013-1080.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1051 https://rhn.redhat.com/errata/RHSA-2013-1051.html
This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2013:1264 https://rhn.redhat.com/errata/RHSA-2013-1264.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6.3 EUS - Server and Compute Node Only Via RHSA-2013:1450 https://rhn.redhat.com/errata/RHSA-2013-1450.html