diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2016-06-07 08:12:33 -0400 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2016-06-07 08:17:12 -0400 |
commit | 1a579a015517dc507dfa9c927f0822b24364a5f5 (patch) | |
tree | 6bd24d718c50620b8205065514f6e88911a6d7b7 | |
parent | 874cad1ebd0b14bc8f6ebf6f49c6c3c077af3ea8 (diff) | |
download | kernel-1a579a015517dc507dfa9c927f0822b24364a5f5.tar.gz kernel-1a579a015517dc507dfa9c927f0822b24364a5f5.tar.xz kernel-1a579a015517dc507dfa9c927f0822b24364a5f5.zip |
CVE-2016-5243 info leak in tipc (rhbz 1343338 1343335)
-rw-r--r-- | kernel.spec | 6 | ||||
-rw-r--r-- | tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch | 32 |
2 files changed, 38 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index 492865b19..702c1e9da 100644 --- a/kernel.spec +++ b/kernel.spec @@ -605,6 +605,9 @@ Patch641: disable-CONFIG_EXPERT-for-ZONE_DMA.patch #CVE-2016-3134 rhbz 1317383 1317384 Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch +#CVE-2016-5243 rhbz 1343338 1343335 +Patch721: tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch + # END OF PATCH DEFINITIONS %endif @@ -2130,6 +2133,9 @@ fi # # %changelog +* Tue Jun 07 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-5243 info leak in tipc (rhbz 1343338 1343335) + * Mon Jun 06 2016 Laura Abbott <labbott@redhat.com> - 4.7.0-0.rc2.git0.1 - Linux v4.7-rc2 - Disable debugging options. diff --git a/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch b/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch new file mode 100644 index 000000000..9cd7c09a3 --- /dev/null +++ b/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch @@ -0,0 +1,32 @@ +From 5d2be1422e02ccd697ccfcd45c85b4a26e6178e2 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu <kangjielu@gmail.com> +Date: Thu, 2 Jun 2016 04:04:56 -0400 +Subject: tipc: fix an infoleak in tipc_nl_compat_link_dump + +link_info.str is a char array of size 60. Memory after the NULL +byte is not initialized. Sending the whole object out can cause +a leak. + +Signed-off-by: Kangjie Lu <kjlu@gatech.edu> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/tipc/netlink_compat.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c +index f795b1d..3ad9fab 100644 +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -604,7 +604,8 @@ static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg, + + link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]); + link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP])); +- strcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME])); ++ nla_strlcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME]), ++ TIPC_MAX_LINK_NAME); + + return tipc_add_tlv(msg->rep, TIPC_TLV_LINK_INFO, + &link_info, sizeof(link_info)); +-- +cgit v0.12 + |