Date: Mon, 26 Jun 2017 18:07:59 +1000 From: Wade Mealing <wmealing@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2017-7482 Linux kernel: krb5 ticket decode len check. Gday, David Howells has written a great description, so rather than reword what he's written here is a quote directly from the git commit. >From the patch notes: --- When a kerberos 5 ticket is being decoded so that it can be loaded into an rxrpc-type key, there are several places in which the length of a variable-length field is checked to make sure that it's not going to overrun the available data - but the data is padded to the nearest four-byte boundary and the code doesn't check for this extra. This could lead to the size-remaining variable wrapping and the data pointer going over the end of the buffer. Fix this by making the various variable-length data checks use the padded length. --- >From what I can see, this could leak 3 bytes of memory to userspace or possibly corrupt 3 bytes of memory, Upstream fix https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5f2f97656ada8d811d3c1bef503ced266fcd53a0 Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7482 -- Wade Mealing Product Security - Kernel, RHCE Red Hat <https://www.redhat.com> wmealing@...hat.com <https://red.ht/sig> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ