Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 475762 (CVE-2013-2239) - <sys-kernel/openvz-sources-2.6.32.80.2 : Multiple memory leaks (CVE-2013-2239)
Summary: <sys-kernel/openvz-sources-2.6.32.80.2 : Multiple memory leaks (CVE-2013-2239)
Status: RESOLVED FIXED
Alias: CVE-2013-2239
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-04 19:15 UTC by Agostino Sarubbo
Modified: 2013-11-15 08:26 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-07-04 19:15:25 UTC
From $URL:


  - [security/ploop] memory info leak fixed (PSBM-20690)
  - [security/quota] memory info leak fixed (PSBM-20690)


Classification
==============

Location    : Local Access Required 
Attack Type : Information Disclosure, Input Manipulation 
Version     : vzkernel 2.6.32 (Patch 042stab080.1)
Impact      : Loss of Confidentiality 
Solution    : Patch / RCS 
Disclosure  : Vendor Verified


References
==========

CVE ID    : CVE-2013-2239
Changelog : http://wiki.openvz.org/Download/kernel/rhel6-testing/042stab080.2
Credit    : Jonathan Salwan (Sysdream Security Lab)
Comment 1 Peter Volkov (RETIRED) gentoo-dev 2013-07-23 07:14:21 UTC
According to upstream this is not important security issue thus it'll be fixed next stable release.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-11-15 08:25:30 UTC
CVE-2013-2239 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2239):
  vzkernel before 042stab080.2 in the OpenVZ modification for the Linux kernel
  2.6.32 does not initialize certain length variables, which allows local
  users to obtain sensitive information from kernel stack memory via (1) a
  crafted ploop driver ioctl call, related to the ploop_getdevice_ioc function
  in drivers/block/ploop/dev.c or (2) a crafted quotactl system call, related
  to the compat_quotactl function in fs/quota/quota.c.
Comment 3 Sergey Popov gentoo-dev 2013-11-15 08:26:44 UTC
According to CVE tree contains stable version without this vulnerability.

No GLSA for kernel package, closing.