From ${URL} : Linux kernel built with the IPSec key_socket support(CONFIG_NET_KEY=m) is vulnerable to an information leakage flaw. It occurs while using key_socket's notify_policy interface. A user/program able to access the PF_KEY key_sockets could use this flaw to leak kernel memory bytes. Upstream fix: ------------- -> https://git.kernel.org/linus/85dfb745ee40232876663ae206cba35f24ab2a40 Reference: ---------- -> http://www.openwall.com/lists/oss-security/2013/07/03/1
$ git tag --contains 85dfb745ee40232876663ae206cba35f24ab2a40 | grep -v rc | xargs echo v3.10 v3.9 v3.9.1 v3.9.2 v3.9.3 v3.9.4 v3.9.5 v3.9.6 v3.9.7 v3.9.8 v3.9.9 Already present in branches 3.9 and 3.10, added to genpatches for 3.0, 3.2, 3.4. ------------------------------------------------------------------------ r2435 | tomwij | 2013-07-04 14:39:53 +0200 (Thu, 04 Jul 2013) | 1 line Applied vulnerable af_key uninitialized field fix to avoid information leakage for bug #475738 to branches 3.0, 3.2 and 3.4. ------------------------------------------------------------------------
CVE-2013-2237 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2237): The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel before 3.9 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket.
Fix in 3.4.59 onward