n Unspecified vulnerability in drivers/crypto/geode-aes.c in GEODE-AES in the Linux kernel before 2.6.21.3 allows attackers to obtain sensitive information via unspecified vectors.
This bug has been hanging around for quite some time. Just out of curiosity I looked at the original CVE entry. Seems to have been fixed in 2.6.20.12 (as well as the version mentioned originally) I've also compared it to the current version of geode_aes.c (in gentoo-sources-2.6.23-r8): in the meantime there has been a one-line stability/bug fix applied to the CVE fix. No idea if this is of any consequence to security or not. See: http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.23.y.git;a=history;f=drivers/crypto/geode-aes.c;h=fa4c9904346f5ec223da20732c2fed99ff756b8e;hb=HEAD I'm not knowledgeable enough to know about the consequences of that one line. If it is of no consequence, I suppose this bug could be closed. The recent gentoo.org advisory to update to the latest kernel versions (http://www.gentoo.org/news/20080213-vmsplice.xml) would now probably render this bug obsolete? Cheers, Stephen
thanks stephen metadata: [linux < 2.6.20.12] f66e4a9471d067a04d53904890dc1b84208cdda9 also in 2.6.21.3 798cc2793266667e88a6d328b5d1e1e68f41095d [gp < 2.6.21-4]
correction: [gp < 2.6.20-11]
