[kernel-sec-discuss] r4973 - active
Ben Hutchings
benh at moszumanska.debian.org
Tue Feb 21 21:17:32 UTC 2017
Author: benh
Date: 2017-02-21 21:17:31 +0000 (Tue, 21 Feb 2017)
New Revision: 4973
Modified:
active/CVE-2017-2618
Log:
Add further notes about CVE-2017-2618 and mark as N/A for 3.2
Modified: active/CVE-2017-2618
===================================================================
--- active/CVE-2017-2618 2017-02-21 20:22:50 UTC (rev 4972)
+++ active/CVE-2017-2618 2017-02-21 21:17:31 UTC (rev 4973)
@@ -1,12 +1,20 @@
Description: selinux: fix off-by-one in setprocattr
References:
Notes:
- Possibly introduced in 3.5-rc1 with d6ea83ec6864e9297fa8b00ec3dae183413a90e3
+ carnil> Possibly introduced in 3.5-rc1 with d6ea83ec6864e9297fa8b00ec3dae183413a90e3
+ bwh> The off-by-one error was introduced in Linux 2.6.12 (just before
+ bwh> the switch to git), as a (very minor) information leak. The above
+ bwh> commit increased the security impact - writing exactly "\n" can
+ bwh> result in a buffer under-read and oops, which is what this CVE
+ bwh> describes. Later, commit bb646cdb12e7 "proc_pid_attr_write():
+ bwh> switch to memdup_user()" reduced the buffer size so there is also
+ bwh> a buffer over-read. However, I think that has no additional impact
+ bwh> since even SLOB pads heap allocations to at least 2 bytes.
Bugs:
upstream: released (4.10-rc8) [0c461cb727d146c9ef2d3e86214f498b78b7d125]
4.9-upstream-stable: released (4.9.10) [6cbaf7b94373743deb42fd410173aab81f8945fe]
3.16-upstream-stable: needed
-3.2-upstream-stable:
+3.2-upstream-stable: N/A "Vulnerable code not present"
sid: released (4.9.10-1)
3.16-jessie-security: pending (3.16.39-1+deb8u1) [bugfix/all/selinux-fix-off-by-one-in-setprocattr.patch]
-3.2-wheezy-security:
+3.2-wheezy-security: N/A "Vulnerable code not present"
More information about the kernel-sec-discuss
mailing list