Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 462460 (CVE-2013-1848)

Summary: Kernel : ext3: format string issues (CVE-2013-1848)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: KernelAssignee: Gentoo Kernel Security <security-kernel>
Status: RESOLVED FIXED    
Severity: normal CC: eric-f.garioud, kernel
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2013/03/20/8
Whiteboard:
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-03-20 10:25:24 UTC 
From $URL :

ext3_msg() takes the printk prefix as the second parameter and the
format string as the third parameter. Two callers of ext3_msg omit the
prefix and pass the format string as the second parameter and the first
parameter to the format string as the third parameter. In both cases
this string comes from an arbitrary source.

An user able to mount ext3 filesystems could use this flaw to crash the
system or, potentially, increase their privileges.

Upstream fix:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8d0c2d10dd72c5292eda7a06231056a4c972e4cc

References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1848
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-25 00:29:04 UTC 
Patch in mainline 3.9 onwards