[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2017-7482 Linux kernel: krb5 ticket decode len check.
From: Wade Mealing <wmealing () redhat ! com>
Date: 2017-06-26 8:07:59
Message-ID: CALJHwhQkb-2yLFMTuF51QSiUWx=6Wv9DV_e7_s+vgopjhXKyxA () mail ! gmail ! com
[Download RAW message or body]
Gday,
David Howells has written a great description, so rather than reword what
he's written here is a quote directly from the git commit.
From the patch notes:
---
When a kerberos 5 ticket is being decoded so that it can be loaded into
an
rxrpc-type key, there are several places in which the length of a
variable-length field is checked to make sure that it's not going to
overrun the available data - but the data is padded to the nearest
four-byte boundary and the code doesn't check for this extra. This
could
lead to the size-remaining variable wrapping and the data pointer going
over the end of the buffer.
Fix this by making the various variable-length data checks use the
padded
length.
---
From what I can see, this could leak 3 bytes of memory to userspace or
possibly corrupt 3 bytes of memory,
Upstream fix
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5f2f97656ada8d811d3c1bef503ced266fcd53a0
Red Hat Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7482
--
Wade Mealing
Product Security - Kernel, RHCE
Red Hat
<https://www.redhat.com>
wmealing@redhat.com
<https://red.ht/sig>
TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic