• CENTRE D’URGENCE | 24/7
  • Vous êtes victime d’une cyberattaque ?
  • Contactez notre centre d’urgence cyber :
  • +33 (0)1 83 07 00 06

Multiple memory leaks in OpenVZ kernel 2.6.32 (042stab080.1)

Two memory leaks was discovered in the versions before vzkernel patch 042stab080.2. One memory leak in ploop: The ploop_getdevice_ioc function in drivers/block/ploop/dev.c in the vzkernel patch before 042stab080.2 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory. One memory leak in quota: The compat_quotactl function in fs/quota/quota.c in the vzkernel patch before 042stab080.2 does not initialize a certain length variable,

juillet 5, 2013

Description

Two memory leaks was discovered in the versions before vzkernel patch 042stab080.2. One memory leak in ploop: The ploop_getdevice_ioc function in drivers/block/ploop/dev.c in the vzkernel patch before 042stab080.2 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory. One memory leak in quota: The compat_quotactl function in fs/quota/quota.c in the vzkernel patch before 042stab080.2 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory. Fixed in the 042stab080.2 – [security/ploop] memory info leak fixed (PSBM-20690) – [security/quota] memory info leak fixed (PSBM-20690) Classification

Location

Local Access Required Attack Type : Information Disclosure, Input Manipulation Version : vzkernel 2.6.32 (Patch 042stab080.1)

Impact

Loss of Confidentiality Solution : Patch / RCS Disclosure : Vendor Verified References

CVE ID

CVE-2013-2239

Changelog

http://wiki.openvz.org/Download/kernel/rhel6-testing/042stab080.2

Credit

Jonathan Salwan (Sysdream Security Lab)

Timeline

  • 2013-06-16 : Bugs found 2013-06-19 : Bugs reported 2013-06-28 : Bugs fixed 2013-06-29 : CVE request 2013-07-04 : CVE assigned

Contactez-nous