[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Linux kernel: net - three info leaks in rtnl
From:       Moritz Muehlenhoff <jmm () debian ! org>
Date:       2013-03-25 11:17:26
Message-ID: 20130325111726.GA28771 () inutil ! org
[Download RAW message or body]

On Mon, Mar 25, 2013 at 12:15:38PM +0100, Moritz Muehlenhoff wrote:
> Hi,
> 
> > On 03/19/2013 03:15 PM, Mathias Krause wrote:
> > > I fixed a few more info leaks in linux v3.9-rc3. Unprivileged
> > > users can use the netlink interface to exploit the following issues
> > > to disclose kernel stack memory:
> > > 
> > > 29cd8ae dcbnl: fix various netlink info leaks 
> > > http://git.kernel.org/linus/29cd8ae0e1a39e239a3a7b67da1986add1199fc0
> > >
> > >  84d73cd rtnl: fix info leak on RTM_GETLINK request for VF devices 
> > > http://git.kernel.org/linus/84d73cd3fb142bf1298a8c13fd4ca50fd2432372
> > >
> > >  c085c49 bridge: fix mdb info leaks 
> > > http://git.kernel.org/linus/c085c49920b2f900ba716b4ca1c1a55ece9872cc
> > >
> > >  David Miller did backports for the above issues which are
> > > currently under review and should end up in the next stable and
> > > longterm kernels.
> > > 
> > > Regards, Mathias
> > 
> > CVE Merge - same researcher/vuln/version. Please use CVE-2013-1873 for
> > these issues.
> 
> These appeared in the CVE updates under different IDs now:
> 
> 29cd8ae: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2634
> 84d73cd: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2635
> c085c49: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2636
> 
> Which shall we use?

Ah, I just noticed that 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1873 has already
been marked as rejected.

Cheers,
        Moritz
[prev in list] [next in list] [prev in thread] [next in thread]