From ${URL} : found in the mainline kernel git: commit a5cc68f3d63306d0d288f31edfc2ae6ef8ecd887 Author: Mathias Krause <minipli@...glemail.com> Date: Wed Jun 26 23:52:30 2013 +0200 af_key: fix info leaks in notify messages key_notify_sa_flush() and key_notify_policy_flush() miss to initialize the sadb_msg_reserved member of the broadcasted message and thereby leak 2 bytes of heap memory to listeners. Fix that. Signed-off-by: Mathias Krause <minipli@...glemail.com> Cc: Steffen Klassert <steffen.klassert@...unet.com> Cc: "David S. Miller" <davem@...emloft.net> Cc: Herbert Xu <herbert@...dor.apana.org.au> Signed-off-by: David S. Miller <davem@...emloft.net> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a5cc68f3d63306d0d288f31edfc2ae6ef8ecd887
Present in 3.10; added to genpatches for 3.9.9, as it is not in stable queue. ------------------------------------------------------------------------ r2428 | tomwij | 2013-07-03 16:25:51 +0200 (Wed, 03 Jul 2013) | 1 line Applied af_key info leak security fix for bug #475604 to 3.9 branch. ------------------------------------------------------------------------
Checked the LTS branches as well now. ------------------------------------------------------------------------ r2429 | tomwij | 2013-07-03 16:52:52 +0200 (Wed, 03 Jul 2013) | 1 line Applied af_key info leak security fix for bug #475604 to branches 3.0, 3.2 and 3.4. ------------------------------------------------------------------------
CVE-2013-2234 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2234): The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket.
Fix in 3.4.55 onward