[kernel/f17] CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665)
Josh Boyer
jwboyer at fedoraproject.org
Fri Jun 7 12:18:41 UTC 2013
commit e6a99843292daa469a36de60f2fec69ca958529a
Author: Josh Boyer <jwboyer at redhat.com>
Date: Fri Jun 7 08:15:42 2013 -0400
CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665)
...top-format-string-leaking-into-error-msgs.patch | 32 ++++++++++++++++++++
kernel.spec | 9 +++++
2 files changed, 41 insertions(+), 0 deletions(-)
---
diff --git a/b43-stop-format-string-leaking-into-error-msgs.patch b/b43-stop-format-string-leaking-into-error-msgs.patch
new file mode 100644
index 0000000..84249e5
--- /dev/null
+++ b/b43-stop-format-string-leaking-into-error-msgs.patch
@@ -0,0 +1,32 @@
+From 9538cbaab6e8b8046039b4b2eb6c9d614dc782bd Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook at chromium.org>
+Date: Fri, 10 May 2013 21:48:21 +0000
+Subject: b43: stop format string leaking into error msgs
+
+The module parameter "fwpostfix" is userspace controllable, unfiltered,
+and is used to define the firmware filename. b43_do_request_fw() populates
+ctx->errors[] on error, containing the firmware filename. b43err()
+parses its arguments as a format string. For systems with b43 hardware,
+this could lead to a uid-0 to ring-0 escalation.
+
+CVE-2013-2852
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: stable at vger.kernel.org
+Signed-off-by: John W. Linville <linville at tuxdriver.com>
+---
+diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
+index 6dd07e2..a95b77a 100644
+--- a/drivers/net/wireless/b43/main.c
++++ b/drivers/net/wireless/b43/main.c
+@@ -2458,7 +2458,7 @@ static void b43_request_firmware(struct work_struct *work)
+ for (i = 0; i < B43_NR_FWTYPES; i++) {
+ errmsg = ctx->errors[i];
+ if (strlen(errmsg))
+- b43err(dev->wl, errmsg);
++ b43err(dev->wl, "%s", errmsg);
+ }
+ b43_print_fw_helptext(dev->wl, 1);
+ goto out;
+--
+cgit v0.9.2
diff --git a/kernel.spec b/kernel.spec
index 6325575..502954d 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -760,6 +760,9 @@ Patch25032: cve-2013-2147-ciss-info-leak.patch
#CVE-2013-2148 rhbz 971258 971261
Patch25033: fanotify-info-leak-in-copy_event_to_user.patch
+#CVE-2013-2852 rhbz 969518 971665
+Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1474,6 +1477,9 @@ ApplyPatch cve-2013-2147-ciss-info-leak.patch
#CVE-2013-2148 rhbz 971258 971261
ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch
+#CVE-2013-2852 rhbz 969518 971665
+ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2325,6 +2331,9 @@ fi
# '-' | |
# '-'
%changelog
+* Fri Jun 07 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665)
+
* Thu Jun 06 2013 Josh Boyer <jwboyer at redhat.com>
- CVE-2013-2148 fanotify: info leak in copy_event_to_user (rhbz 971258 971261)
- CVE-2013-2147 cpqarray/cciss: information leak via ioctl (rhbz 971242 971249)
More information about the scm-commits
mailing list