1 files changed, 0 insertions, 32 deletions

diff --git a/b43-stop-format-string-leaking-into-error-msgs.patch b/b43-stop-format-string-leaking-into-error-msgs.patch
deleted file mode 100644
index 84249e5eb..000000000
--- a/b43-stop-format-string-leaking-into-error-msgs.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 9538cbaab6e8b8046039b4b2eb6c9d614dc782bd Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Fri, 10 May 2013 21:48:21 +0000
-Subject: b43: stop format string leaking into error msgs
-
-The module parameter "fwpostfix" is userspace controllable, unfiltered,
-and is used to define the firmware filename. b43_do_request_fw() populates
-ctx->errors[] on error, containing the firmware filename. b43err()
-parses its arguments as a format string. For systems with b43 hardware,
-this could lead to a uid-0 to ring-0 escalation.
-
-CVE-2013-2852
-
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@vger.kernel.org
-Signed-off-by: John W. Linville <linville@tuxdriver.com>
----
-diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
-index 6dd07e2..a95b77a 100644
---- a/drivers/net/wireless/b43/main.c
-+++ b/drivers/net/wireless/b43/main.c
-@@ -2458,7 +2458,7 @@ static void b43_request_firmware(struct work_struct *work)
- 	for (i = 0; i < B43_NR_FWTYPES; i++) {
- 		errmsg = ctx->errors[i];
- 		if (strlen(errmsg))
--			b43err(dev->wl, errmsg);
-+			b43err(dev->wl, "%s", errmsg);
- 	}
- 	b43_print_fw_helptext(dev->wl, 1);
- 	goto out;
---
-cgit v0.9.2