summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch40
-rw-r--r--kernel.spec9
2 files changed, 49 insertions, 0 deletions
diff --git a/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch b/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
new file mode 100644
index 000000000..c8d015491
--- /dev/null
+++ b/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
@@ -0,0 +1,40 @@
+Stephan Mueller reported to me recently a error in random number generation in
+the ansi cprng. If several small requests are made that are less than the
+instances block size, the remainder for loop code doesn't increment
+rand_data_valid in the last iteration, meaning that the last bytes in the
+rand_data buffer gets reused on the subsequent smaller-than-a-block request for
+random data.
+
+The fix is pretty easy, just re-code the for loop to make sure that
+rand_data_valid gets incremented appropriately
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: Stephan Mueller <stephan.mueller@atsec.com>
+CC: Stephan Mueller <stephan.mueller@atsec.com>
+CC: Petr Matousek <pmatouse@redhat.com>
+CC: Herbert Xu <herbert@gondor.apana.org.au>
+CC: "David S. Miller" <davem@davemloft.net>
+---
+ crypto/ansi_cprng.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
+index c0bb377..666f196 100644
+--- a/crypto/ansi_cprng.c
++++ b/crypto/ansi_cprng.c
+@@ -230,11 +230,11 @@ remainder:
+ */
+ if (byte_count < DEFAULT_BLK_SZ) {
+ empty_rbuf:
+- for (; ctx->rand_data_valid < DEFAULT_BLK_SZ;
+- ctx->rand_data_valid++) {
++ while (ctx->rand_data_valid < DEFAULT_BLK_SZ) {
+ *ptr = ctx->rand_data[ctx->rand_data_valid];
+ ptr++;
+ byte_count--;
++ ctx->rand_data_valid++;
+ if (byte_count == 0)
+ goto done;
+ }
+--
+1.8.3.1
diff --git a/kernel.spec b/kernel.spec
index 125e6ef6b..65bfc0afd 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -767,6 +767,9 @@ Patch25100: tuntap-correctly-handle-error-in-tun_set_iff.patch
#CVE-2013-4350 rhbz 1007872 1007903
Patch25102: net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch
+#CVE-2013-4345 rhbz 1007690 1009136
+Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
+
Patch25103: fix-arm-btrfs-build.patch
# END OF PATCH DEFINITIONS
@@ -1498,6 +1501,9 @@ ApplyPatch tuntap-correctly-handle-error-in-tun_set_iff.patch
#CVE-2013-4350 rhbz 1007872 1007903
ApplyPatch net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch
+#CVE-2013-4345 rhbz 1007690 1009136
+ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2302,6 +2308,9 @@ fi
# ||----w |
# || ||
%changelog
+* Tue Sep 17 2013 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2013-4345 ansi_cprng: off by one error in non-block size request (rhbz 1007690 1009136)
+
* Tue Sep 17 2013 Kyle McMartin <kyle@redhat.com>
- Add nvme.ko to modules.block for anaconda.