oss-sec mailing list archives
CVE-2017-7482 Linux kernel: krb5 ticket decode len check.
From: Wade Mealing <wmealing () redhat com>
Date: Mon, 26 Jun 2017 18:07:59 +1000
Gday, David Howells has written a great description, so rather than reword what he's written here is a quote directly from the git commit.
From the patch notes:
--- When a kerberos 5 ticket is being decoded so that it can be loaded into an rxrpc-type key, there are several places in which the length of a variable-length field is checked to make sure that it's not going to overrun the available data - but the data is padded to the nearest four-byte boundary and the code doesn't check for this extra. This could lead to the size-remaining variable wrapping and the data pointer going over the end of the buffer. Fix this by making the various variable-length data checks use the padded length. ---
From what I can see, this could leak 3 bytes of memory to userspace or
possibly corrupt 3 bytes of memory, Upstream fix https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5f2f97656ada8d811d3c1bef503ced266fcd53a0 Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7482 -- Wade Mealing Product Security - Kernel, RHCE Red Hat <https://www.redhat.com> wmealing () redhat com <https://red.ht/sig> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
Current thread:
- CVE-2017-7482 Linux kernel: krb5 ticket decode len check. Wade Mealing (Jun 26)