Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 26 Jun 2017 18:07:59 +1000
From: Wade Mealing <>
Subject: CVE-2017-7482 Linux kernel: krb5 ticket decode len check.


David Howells has written a great description, so rather than reword what
he's written here is a quote directly from the git commit.

>From the patch notes:

    When a kerberos 5 ticket is being decoded so that it can be loaded into
    rxrpc-type key, there are several places in which the length of a
    variable-length field is checked to make sure that it's not going to
    overrun the available data - but the data is padded to the nearest
    four-byte boundary and the code doesn't check for this extra.  This
    lead to the size-remaining variable wrapping and the data pointer going
    over the end of the buffer.

    Fix this by making the various variable-length data checks use the

>From what I can see, this could leak 3 bytes of memory to userspace or
possibly corrupt 3 bytes of memory,

Upstream fix

Red Hat Bugzilla:


Wade Mealing

Product Security - Kernel, RHCE

Red Hat


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ