In the Linux kernel through 4.20.10, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr. https://www.securityfocus.com/bid/107063
Hi, today updates were pushed by upstream that contain the fix[1]: 4.14.103: 6e4c01ee785c2192fcc4be234cedde3706309a7e 4.19.25: eb5e6869125f69dd28513f92992d97ec62bb9773 4.20.12: cc5cb5c0d03d9a990dd6d40dce5a5cf96de8e81e 5.0-r7 seems to be still affected; this shouldn't matter as 5.0 or RC8 might be released within the next days (based on the typical "release cycle"). Kernels prior to 4.10 might be unaffected according to a German news magazine[2]. With the fix applied the file crypto/af_alg.c must contain inside the function af_alg_release() the additional line sock->sk = NULL; (plus the corresponding curly brackets). [1] The fix is inside the commit with the summary "net: crypto set sk to NULL when af_alg_release." respectivly 5.0 commit 9060cb719e61b685ec0102574e10337fa5f445ea. [2] https://heise.de/-4315290
Stable candidates committed in: sys-kernel/gentoo-sources-4.19.25: 1cc8f57d0e255e49d454aa2e10ed635100a9a2b9 sys-kernel/gentoo-sources-4.14.103: 5910e16d0838d7b37f75321a6b488a0ca5fbc807 sys-kernel/gentoo-sources-4.9.160: ffd70cc88542c25db5b0328d619c720ba0c49c15 sys-kernel/gentoo-sources-4.4.176: efc2e58391a39331474b32aca3955f2c639f4aa7 awaiting stabilization
Long been stabilized