Note:
This project will be discontinued after December 13, 2021. [more]
2018-12-04
An issue was discovered in the Linux kernel before 4.19.3. crypto_report_one() and related functions in crypto/crypto_user.c (the crypto user configuration API) do not fully initialize structures that are copied to userspace, potentially leaking sensitive memory to user programs. NOTE: this is a CVE-2013-2547 regression but with easier exploitability because the attacker does not need a capability (however, the system must have the CONFIG_CRYPTO_USER kconfig option).
Products | Ubuntu_linux, Linux_kernel |
Type | Information Exposure (CWE-200) |
First patch |
https://github.com/torvalds/linux/commit/f43f39958beb206b53292801e216d9b8a660f087 |
Relevant file/s | ./crypto/crypto_user_base.c (modified, +9, -9) |
Links |
• https://usn.ubuntu.com/3901-1/
• https://usn.ubuntu.com/3878-1/ • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f43f39958beb206b53292801e216d9b8a660f087 • https://usn.ubuntu.com/3901-2/ • https://access.redhat.com/errata/RHSA-2019:3517 |
Navigation
Patch data:
Patched area:
(on by default)
Patched area: