Date: Mon, 26 Jun 2017 18:07:59 +1000 From: Wade Mealing <wmealing@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2017-7482 Linux kernel: krb5 ticket decode len check. Gday, David Howells has written a great description, so rather than reword what he's written here is a quote directly from the git commit. >From the patch notes: --- When a kerberos 5 ticket is being decoded so that it can be loaded into an rxrpc-type key, there are several places in which the length of a variable-length field is checked to make sure that it's not going to overrun the available data - but the data is padded to the nearest four-byte boundary and the code doesn't check for this extra. This could lead to the size-remaining variable wrapping and the data pointer going over the end of the buffer. Fix this by making the various variable-length data checks use the padded length. --- >From what I can see, this could leak 3 bytes of memory to userspace or possibly corrupt 3 bytes of memory, Upstream fix https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5f2f97656ada8d811d3c1bef503ced266fcd53a0 Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7482 -- Wade Mealing Product Security - Kernel, RHCE Red Hat <https://www.redhat.com> wmealing@...hat.com <https://red.ht/sig> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.