Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 26 Jun 2017 18:07:59 +1000
From: Wade Mealing <wmealing@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2017-7482 Linux kernel: krb5 ticket decode len check.

Gday,

David Howells has written a great description, so rather than reword what
he's written here is a quote directly from the git commit.

>From the patch notes:

---
    When a kerberos 5 ticket is being decoded so that it can be loaded into
an
    rxrpc-type key, there are several places in which the length of a
    variable-length field is checked to make sure that it's not going to
    overrun the available data - but the data is padded to the nearest
    four-byte boundary and the code doesn't check for this extra.  This
could
    lead to the size-remaining variable wrapping and the data pointer going
    over the end of the buffer.

    Fix this by making the various variable-length data checks use the
padded
    length.
---

>From what I can see, this could leak 3 bytes of memory to userspace or
possibly corrupt 3 bytes of memory,

Upstream fix
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5f2f97656ada8d811d3c1bef503ced266fcd53a0

Red Hat Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7482

-- 

Wade Mealing

Product Security - Kernel, RHCE

Red Hat

<https://www.redhat.com>

wmealing@...hat.com
<https://red.ht/sig>
TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.