ACK/cmt: [PATCH 0/1][SRU][B] CVE-2018-19854 - Crypto API info leak
Khaled Elmously
khalid.elmously at canonical.com
Fri Jan 25 03:24:58 UTC 2019
On 2019-01-25 02:08:07 , Tyler Hicks wrote:
> https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19854.html
>
> An issue was discovered in the Linux kernel before 4.19.3.
> crypto_report_one() and related functions in crypto/crypto_user.c (the
> crypto user configuration API) do not fully initialize structures that are
> copied to userspace, potentially leaking sensitive memory to user programs.
> NOTE: this is a CVE-2013-2547 regression but with easier exploitability
> because the attacker does not need a capability (however, the system must
> have the CONFIG_CRYPTO_USER kconfig option).
>
> After adjusting the target filename of the patch, this was a clean cherry-pick
> to Bionic. I've only boot tested this change in the Bionic kernel.
>
> Tyler
>
There's some irony in this, isn't there?
Acked-by: Khalid Elmously <khalid.elmously at canonical.com>
More information about the kernel-team
mailing list