diff options
| author | Josh Boyer <jwboyer@redhat.com> | 2013-06-07 08:15:42 -0400 |
|---|---|---|
| committer | Josh Boyer <jwboyer@redhat.com> | 2013-06-07 08:18:07 -0400 |
| commit | be3c5103be31fc8ee6fe89808bcca127dade2fb9 (patch) | |
| tree | ec58f1a5b828611bfed31a88efb2c4818229059a | |
| parent | 5a0fdd92dca3d5a4265f6db6dc53fb541d2c9825 (diff) | |
| download | kernel-be3c5103be31fc8ee6fe89808bcca127dade2fb9.tar.gz kernel-be3c5103be31fc8ee6fe89808bcca127dade2fb9.tar.xz kernel-be3c5103be31fc8ee6fe89808bcca127dade2fb9.zip | |
CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665)
| -rw-r--r-- | b43-stop-format-string-leaking-into-error-msgs.patch | 32 | ||||
| -rw-r--r-- | kernel.spec | 9 |
2 files changed, 41 insertions, 0 deletions
diff --git a/b43-stop-format-string-leaking-into-error-msgs.patch b/b43-stop-format-string-leaking-into-error-msgs.patch new file mode 100644 index 000000000..84249e5eb --- /dev/null +++ b/b43-stop-format-string-leaking-into-error-msgs.patch @@ -0,0 +1,32 @@ +From 9538cbaab6e8b8046039b4b2eb6c9d614dc782bd Mon Sep 17 00:00:00 2001 +From: Kees Cook <keescook@chromium.org> +Date: Fri, 10 May 2013 21:48:21 +0000 +Subject: b43: stop format string leaking into error msgs + +The module parameter "fwpostfix" is userspace controllable, unfiltered, +and is used to define the firmware filename. b43_do_request_fw() populates +ctx->errors[] on error, containing the firmware filename. b43err() +parses its arguments as a format string. For systems with b43 hardware, +this could lead to a uid-0 to ring-0 escalation. + +CVE-2013-2852 + +Signed-off-by: Kees Cook <keescook@chromium.org> +Cc: stable@vger.kernel.org +Signed-off-by: John W. Linville <linville@tuxdriver.com> +--- +diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c +index 6dd07e2..a95b77a 100644 +--- a/drivers/net/wireless/b43/main.c ++++ b/drivers/net/wireless/b43/main.c +@@ -2458,7 +2458,7 @@ static void b43_request_firmware(struct work_struct *work) + for (i = 0; i < B43_NR_FWTYPES; i++) { + errmsg = ctx->errors[i]; + if (strlen(errmsg)) +- b43err(dev->wl, errmsg); ++ b43err(dev->wl, "%s", errmsg); + } + b43_print_fw_helptext(dev->wl, 1); + goto out; +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index 6e0d719a9..9db2ea6b3 100644 --- a/kernel.spec +++ b/kernel.spec @@ -751,6 +751,9 @@ Patch25032: cve-2013-2147-ciss-info-leak.patch #CVE-2013-2148 rhbz 971258 971261 Patch25033: fanotify-info-leak-in-copy_event_to_user.patch +#CVE-2013-2852 rhbz 969518 971665 +Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch + # END OF PATCH DEFINITIONS %endif @@ -1445,6 +1448,9 @@ ApplyPatch cve-2013-2147-ciss-info-leak.patch #CVE-2013-2148 rhbz 971258 971261 ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch +#CVE-2013-2852 rhbz 969518 971665 +ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch + # END OF PATCH APPLICATIONS %endif @@ -2250,6 +2256,9 @@ fi # ||----w | # || || %changelog +* Fri Jun 07 2013 Josh Boyer <jwboyer@redhat.com> +- CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665) + * Thu Jun 06 2013 Josh Boyer <jwboyer@redhat.com> - CVE-2013-2148 fanotify: info leak in copy_event_to_user (rhbz 971258 971261) - CVE-2013-2147 cpqarray/cciss: information leak via ioctl (rhbz 971242 971249) |