Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 512998 (CVE-2014-4027)

Summary: Kernel: rd_mcp backend: information leak in the iSCSI target subsystem (CVE-2014-4027)
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: KernelAssignee: Gentoo Kernel Security <security-kernel>
Status: RESOLVED FIXED    
Severity: normal CC: kernel
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/oss-sec/2014/q2/510
Whiteboard:
Package list:
Runtime testing required: ---

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-11 19:52:25 UTC 
Jorge Daniel Sequeira Matias discovered an information leak in the rd_mcp backend
of the iSCSI target subsystem in the Linux kernel (originally reported to the
Debian Security Team and investigated by Nicholas A. Bellinger):

Introduced in 2.6.38 and fixed in 3.14 with
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4442dc8a92b8f9ad8ee9e7f8438f4c04c03a22dc
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-08-10 14:18:06 UTC 
CVE-2014-4027 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4027):
  The rd_build_device_space function in drivers/target/target_core_rd.c in the
  Linux kernel before 3.14 does not properly initialize a certain data
  structure, which allows local users to obtain sensitive information from
  ramdisk_mcp memory by leveraging access to a SCSI initiator.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-25 22:12:38 UTC 
Yep, fixed in 3.14.