Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAFqZXNvNR3FWeNz5eTPmG0HbB8dZF6_xQcOeUNowo-a+93QwdA@mail.gmail.com>
Date: Wed, 27 May 2020 09:44:50 +0200
From: Ondrej Mosnacek <omosnace@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Paul Moore <paul@...l-moore.com>, Stephen Smalley <stephen.smalley.work@...il.com>, 
	Jeff Vander Stoep <jeffv@...gle.com>, Wade Mealing <wmealing@...hat.com>
Subject: CVE-2020-10751 - Linux kernel: SELinux netlink permission check bypass

(Resending with correct ML address...)

Hello,

This flaw has already been announced and described here:
https://www.openwall.com/lists/oss-security/2020/04/30/5

This is just a note to let you know that it has been assigned a
CVE-2020-10751 upon request from Red Hat.

The flaw is fixed by the following upstream commit:

commit fb73974172ffaaf57a7c42f35424d9aece1a5af6
Author: Paul Moore <paul@...l-moore.com>
Date:   Tue Apr 28 09:59:02 2020 -0400

   selinux: properly handle multiple messages in selinux_netlink_send()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fb73974172ffaaf57a7c42f35424d9aece1a5af6

The flaw dates back at least to Linux-2.6.12-rc2, so likely all
versions of Linux currently in use are affected.

RH tracker: https://bugzilla.redhat.com/show_bug.cgi?id=1839634

-- 
Ondrej Mosnacek
Software Engineer, Platform Security - SELinux kernel,
Red Hat, Inc.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.