CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665)
This commit is contained in:
Josh Boyer
parent
5a0fdd92dc
commit
be3c5103be
32
b43-stop-format-string-leaking-into-error-msgs.patch
Normal file
32
b43-stop-format-string-leaking-into-error-msgs.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From 9538cbaab6e8b8046039b4b2eb6c9d614dc782bd Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Fri, 10 May 2013 21:48:21 +0000
|
||||
Subject: b43: stop format string leaking into error msgs
|
||||
|
||||
The module parameter "fwpostfix" is userspace controllable, unfiltered,
|
||||
and is used to define the firmware filename. b43_do_request_fw() populates
|
||||
ctx->errors[] on error, containing the firmware filename. b43err()
|
||||
parses its arguments as a format string. For systems with b43 hardware,
|
||||
this could lead to a uid-0 to ring-0 escalation.
|
||||
|
||||
CVE-2013-2852
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
||||
---
|
||||
diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
|
||||
index 6dd07e2..a95b77a 100644
|
||||
--- a/drivers/net/wireless/b43/main.c
|
||||
+++ b/drivers/net/wireless/b43/main.c
|
||||
@@ -2458,7 +2458,7 @@ static void b43_request_firmware(struct work_struct *work)
|
||||
for (i = 0; i < B43_NR_FWTYPES; i++) {
|
||||
errmsg = ctx->errors[i];
|
||||
if (strlen(errmsg))
|
||||
- b43err(dev->wl, errmsg);
|
||||
+ b43err(dev->wl, "%s", errmsg);
|
||||
}
|
||||
b43_print_fw_helptext(dev->wl, 1);
|
||||
goto out;
|
||||
--
|
||||
cgit v0.9.2
|
||||
@ -751,6 +751,9 @@ Patch25032: cve-2013-2147-ciss-info-leak.patch
|
||||
#CVE-2013-2148 rhbz 971258 971261
|
||||
Patch25033: fanotify-info-leak-in-copy_event_to_user.patch
|
||||
|
||||
#CVE-2013-2852 rhbz 969518 971665
|
||||
Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
@ -1445,6 +1448,9 @@ ApplyPatch cve-2013-2147-ciss-info-leak.patch
|
||||
#CVE-2013-2148 rhbz 971258 971261
|
||||
ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch
|
||||
|
||||
#CVE-2013-2852 rhbz 969518 971665
|
||||
ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
@ -2250,6 +2256,9 @@ fi
|
||||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Fri Jun 07 2013 Josh Boyer <jwboyer@redhat.com>
|
||||
- CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665)
|
||||
|
||||
* Thu Jun 06 2013 Josh Boyer <jwboyer@redhat.com>
|
||||
- CVE-2013-2148 fanotify: info leak in copy_event_to_user (rhbz 971258 971261)
|
||||
- CVE-2013-2147 cpqarray/cciss: information leak via ioctl (rhbz 971242 971249)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user