| Summary: | Kernel: Data exposure in geode aes driver (CVE-2007-2451) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
| Component: | Kernel | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | dev |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2451 | ||
| Whiteboard: | [linux < 2.6.20.12][gp < 2.6.20-11] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2007-06-01 11:29:59 UTC
This bug has been hanging around for quite some time. Just out of curiosity I looked at the original CVE entry. Seems to have been fixed in 2.6.20.12 (as well as the version mentioned originally) I've also compared it to the current version of geode_aes.c (in gentoo-sources-2.6.23-r8): in the meantime there has been a one-line stability/bug fix applied to the CVE fix. No idea if this is of any consequence to security or not. See: http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.23.y.git;a=history;f=drivers/crypto/geode-aes.c;h=fa4c9904346f5ec223da20732c2fed99ff756b8e;hb=HEAD I'm not knowledgeable enough to know about the consequences of that one line. If it is of no consequence, I suppose this bug could be closed. The recent gentoo.org advisory to update to the latest kernel versions (http://www.gentoo.org/news/20080213-vmsplice.xml) would now probably render this bug obsolete? Cheers, Stephen thanks stephen metadata: [linux < 2.6.20.12] f66e4a9471d067a04d53904890dc1b84208cdda9 also in 2.6.21.3 798cc2793266667e88a6d328b5d1e1e68f41095d [gp < 2.6.21-4] correction: [gp < 2.6.20-11] |