diff --git a/kernel.spec b/kernel.spec index 1461933..2dbea07 100644 --- a/kernel.spec +++ b/kernel.spec @@ -658,6 +658,9 @@ Patch719: kvm-vmx-more-complete-state-update-on-APICv-on-off.patch #CVE-2016-4951 rhbz 1338625 1338626 Patch720: tipc-check-nl-sock-before-parsing-nested-attributes.patch +#CVE-2016-5243 rhbz 1343338 1343335 +Patch721: tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch + # END OF PATCH DEFINITIONS %endif @@ -2175,6 +2178,9 @@ fi # # %changelog +* Tue Jun 07 2016 Josh Boyer +- CVE-2016-5243 info leak in tipc (rhbz 1343338 1343335) + * Wed Jun 01 2016 Justin M. Forbes 4.5.6-200 - Linux v4.5.6 diff --git a/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch b/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch new file mode 100644 index 0000000..9cd7c09 --- /dev/null +++ b/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch @@ -0,0 +1,32 @@ +From 5d2be1422e02ccd697ccfcd45c85b4a26e6178e2 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Thu, 2 Jun 2016 04:04:56 -0400 +Subject: tipc: fix an infoleak in tipc_nl_compat_link_dump + +link_info.str is a char array of size 60. Memory after the NULL +byte is not initialized. Sending the whole object out can cause +a leak. + +Signed-off-by: Kangjie Lu +Signed-off-by: David S. Miller +--- + net/tipc/netlink_compat.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c +index f795b1d..3ad9fab 100644 +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -604,7 +604,8 @@ static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg, + + link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]); + link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP])); +- strcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME])); ++ nla_strlcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME]), ++ TIPC_MAX_LINK_NAME); + + return tipc_add_tlv(msg->rep, TIPC_TLV_LINK_INFO, + &link_info, sizeof(link_info)); +-- +cgit v0.12 +