[SRU][F][PATCH 0/1] CVE-2024-42229
Bethany Jamison
bethany.jamison at canonical.com
Mon Sep 16 22:20:26 UTC 2024
[Impact]
crypto: aead,cipher - zeroize key buffer after use
I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding
cryptographic information should be zeroized once they are no longer
needed. Accomplish this by using kfree_sensitive for buffers that
previously held the private key.
[Fix]
Noble: pending (6.8.0-46.46)
Jammy: released
Focal: Backported from linux-5.10.y - ignored context conflict from
neighboring line, missing commit (e8cfed5); changed
'kfree_sensitive' to 'kzfree' to fix conflict
Bionic: fix sent to esm ML
Xenial: fix sent to esm ML
Trusty: won't fix
[Test Case]
Compile tested.
[Where problems could occur]
This fix affects those who use AEAD algorithms or single-block cipher
operations, an issue with this fix would be visible to the user if
sensitive information was found after use on the buffer.
Hailey Mothershead (1):
crypto: aead,cipher - zeroize key buffer after use
crypto/aead.c | 3 +--
crypto/cipher.c | 3 +--
2 files changed, 2 insertions(+), 4 deletions(-)
--
2.34.1
More information about the kernel-team
mailing list