Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 03 Jul 2013 20:35:23 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Marcus Meissner <meissner@...e.de>
Subject: Re: CVE Request: Earlier AF_KEY in key_notify_policy_flush

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/03/2013 10:35 AM, Marcus Meissner wrote:
> On Wed, Jul 03, 2013 at 11:02:13AM +0200, Marcus Meissner wrote:
>> Hi,
>> 
>> Michal Hocko identified an earlier patch for an AF_KEY
>> information leak, in nearly the same place as CVE-2013-2234.
> 
> URL: 
> https://github.com/torvalds/linux/commit/85dfb745ee40232876663ae206cba35f24ab2a40
>
> 
>> Due to different time of fix and different researcher probably 
>> needs a new CVE.

Yup CVE split.

>> 
>> Ciao, Marcus
>> 
>> commit 85dfb745ee40232876663ae206cba35f24ab2a40 Author: Nicolas
>> Dichtel <nicolas.dichtel@...nd.com> Date:   Mon Feb 18 16:24:20
>> 2013 +0100
>> 
>> af_key: initialize satype in key_notify_policy_flush()
>> 
>> This field was left uninitialized. Some user daemons perform
>> check against this field.
>> 
>> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@...nd.com> 
>> Signed-off-by: Steffen Klassert <steffen.klassert@...unet.com>
>> 

Please use CVE-2013-2237 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR1N9rAAoJEBYNRVNeJnmTjC4P/0W86bcbkrENj7qTJMAhfkoD
yRHlIVOgQUBDcoz5uvtwXJzyS3LYUtv0MrpRw2hpTzGmVp+fBuESK7SSq/xC7ddj
S91U3CglCWvuvqPK2+z4ovvR/VuZ/ed1AESgVsfAdwor/qyTj2w16+pJPNkF7Iw1
3HnqNiBwCGw85h2mpWTN2L0TZJ+BUQliz2YG/GDdI1h/8TG1FI/DXqfdrzamNtaw
8U+gcvSISXRtRkIY4Hifg4KS4X9dYlA0IK+aBQ5Ur2pyxc/goCzTsejKOxgThpha
K428FuFIOA10gBEGSl5h4dplZxDbw0lhfE7H/prWHG15pxxuzbw5ug2Jaq11FLv5
aniTIqW9T2EDTcCaHFB4szYbXWBMsaGYUbx+qpUCtLXT9LcVjwmvobmbgng3L7LB
h2cKiktMAQQDOYo7ZkGcX23pu8Eor2gLjZ8MnBedH5DZYWzd3aMOl+89Cvsv7rz1
guQYjk2yPi8xjl0WrBJQ2w9mcJLbOPDJrURoCMilp3OG+XggHxK0ksxSnZSvZ9LG
7YFtP47QNidRlgLd3tf5S56d65tUiF7qM254oOmXIh5pDq2yPQ6BdqDu6wKi0Mux
4oabaJCGs1E2dLjZnzFHDxBG9MabV2NDAt2qGxG6diVIZz2eVUShfHLPgQpbgfdJ
5La/nOo9QQwxdnnU8d6g
=oB3q
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.