rpms/kernel
9
2
Fork 4
Code Issues Pull Requests Releases Activity

CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665)

Browse Source
This commit is contained in:
Josh Boyer 2013-06-07 08:15:42 -04:00
parent 5a0fdd92dc
commit be3c5103be
2 changed files with 41 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
b43-stop-format-string-leaking-into-error-msgs.patch Normal file
View File

@ -0,0 +1,32 @@
From 9538cbaab6e8b8046039b4b2eb6c9d614dc782bd Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Fri, 10 May 2013 21:48:21 +0000
Subject: b43: stop format string leaking into error msgs
The module parameter "fwpostfix" is userspace controllable, unfiltered,
and is used to define the firmware filename. b43_do_request_fw() populates
ctx->errors[] on error, containing the firmware filename. b43err()
parses its arguments as a format string. For systems with b43 hardware,
this could lead to a uid-0 to ring-0 escalation.
CVE-2013-2852
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
---
diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
index 6dd07e2..a95b77a 100644
--- a/drivers/net/wireless/b43/main.c
+++ b/drivers/net/wireless/b43/main.c
@@ -2458,7 +2458,7 @@ static void b43_request_firmware(struct work_struct *work)
for (i = 0; i < B43_NR_FWTYPES; i++) {
errmsg = ctx->errors[i];
if (strlen(errmsg))
- b43err(dev->wl, errmsg);
+ b43err(dev->wl, "%s", errmsg);
}
b43_print_fw_helptext(dev->wl, 1);
goto out;
--
cgit v0.9.2

9
kernel.spec
View File

@ -751,6 +751,9 @@ Patch25032: cve-2013-2147-ciss-info-leak.patch
#CVE-2013-2148 rhbz 971258 971261 #CVE-2013-2148 rhbz 971258 971261
Patch25033: fanotify-info-leak-in-copy_event_to_user.patch Patch25033: fanotify-info-leak-in-copy_event_to_user.patch
#CVE-2013-2852 rhbz 969518 971665
Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch
# END OF PATCH DEFINITIONS # END OF PATCH DEFINITIONS
%endif %endif
@ -1445,6 +1448,9 @@ ApplyPatch cve-2013-2147-ciss-info-leak.patch
#CVE-2013-2148 rhbz 971258 971261 #CVE-2013-2148 rhbz 971258 971261
ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch
#CVE-2013-2852 rhbz 969518 971665
ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch
# END OF PATCH APPLICATIONS # END OF PATCH APPLICATIONS
%endif %endif
@ -2250,6 +2256,9 @@ fi
# ||----w | # ||----w |
# || || # || ||
%changelog %changelog
* Fri Jun 07 2013 Josh Boyer <jwboyer@redhat.com>
- CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665)
* Thu Jun 06 2013 Josh Boyer <jwboyer@redhat.com> * Thu Jun 06 2013 Josh Boyer <jwboyer@redhat.com>
- CVE-2013-2148 fanotify: info leak in copy_event_to_user (rhbz 971258 971261) - CVE-2013-2148 fanotify: info leak in copy_event_to_user (rhbz 971258 971261)
- CVE-2013-2147 cpqarray/cciss: information leak via ioctl (rhbz 971242 971249) - CVE-2013-2147 cpqarray/cciss: information leak via ioctl (rhbz 971242 971249)