[PATCH 0/1][SRU][B] CVE-2018-19854 - Crypto API info leak
Tyler Hicks
tyhicks at canonical.com
Fri Jan 25 02:08:07 UTC 2019
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19854.html
An issue was discovered in the Linux kernel before 4.19.3.
crypto_report_one() and related functions in crypto/crypto_user.c (the
crypto user configuration API) do not fully initialize structures that are
copied to userspace, potentially leaking sensitive memory to user programs.
NOTE: this is a CVE-2013-2547 regression but with easier exploitability
because the attacker does not need a capability (however, the system must
have the CONFIG_CRYPTO_USER kconfig option).
After adjusting the target filename of the patch, this was a clean cherry-pick
to Bionic. I've only boot tested this change in the Bionic kernel.
Tyler
More information about the kernel-team
mailing list