CVE-2018-19854 - Vulncode-DB

CVE-2018-19854 (NVD)

2018-12-04

An issue was discovered in the Linux kernel before 4.19.3. crypto_report_one() and related functions in crypto/crypto_user.c (the crypto user configuration API) do not fully initialize structures that are copied to userspace, potentially leaking sensitive memory to user programs. NOTE: this is a CVE-2013-2547 regression but with easier exploitability because the attacker does not need a capability (however, the system must have the CONFIG_CRYPTO_USER kconfig option).

Products	Ubuntu_linux, Linux_kernel
Type	Information Exposure (CWE-200)
First patch	https://github.com/torvalds/linux/commit/f43f39958beb206b53292801e216d9b8a660f087
Relevant file/s	./crypto/crypto_user_base.c (modified, +9, -9)
Links	• https://usn.ubuntu.com/3901-1/ • https://usn.ubuntu.com/3878-1/ • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f43f39958beb206b53292801e216d9b8a660f087 • https://usn.ubuntu.com/3901-2/ • https://access.redhat.com/errata/RHSA-2019:3517 More/Less (4) • https://kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.3 • https://usn.ubuntu.com/3878-2/ • https://access.redhat.com/errata/RHSA-2019:3309 • https://usn.ubuntu.com/3872-1/

linux - Tree: f43f39958b

(? files)

Filter Settings

All Files

Relevant Files

Vulnerable Files

Patched Files

Files

VS-Dark VS-Bright Monokai Darcula

Navigation

Patch data:

(on by default)

Patched area: