| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 1 May 2024 15:06:52 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-27388: SUNRPC: fix some memleaks in gssx_dec_option_array Description =========== In the Linux kernel, the following vulnerability has been resolved: SUNRPC: fix some memleaks in gssx_dec_option_array The creds and oa->data need to be freed in the error-handling paths after their allocation. So this patch add these deallocations in the corresponding paths. The Linux kernel CVE team has assigned CVE-2024-27388 to this issue. Affected and fixed versions =========================== Issue introduced in 3.10 with commit 1d658336b05f and fixed in 4.19.311 with commit b97c37978ca8 Issue introduced in 3.10 with commit 1d658336b05f and fixed in 5.4.273 with commit bfa9d86d39a0 Issue introduced in 3.10 with commit 1d658336b05f and fixed in 5.10.214 with commit bb336cd8d5ec Issue introduced in 3.10 with commit 1d658336b05f and fixed in 5.15.153 with commit dd292e884c64 Issue introduced in 3.10 with commit 1d658336b05f and fixed in 6.1.83 with commit 934212a623cb Issue introduced in 3.10 with commit 1d658336b05f and fixed in 6.6.23 with commit 5e6013ae2c8d Issue introduced in 3.10 with commit 1d658336b05f and fixed in 6.7.11 with commit 9806c2393cd2 Issue introduced in 3.10 with commit 1d658336b05f and fixed in 6.8.2 with commit 996997d1fb21 Issue introduced in 3.10 with commit 1d658336b05f and fixed in 6.9-rc1 with commit 3cfcfc102a5e Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-27388 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/sunrpc/auth_gss/gss_rpc_xdr.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/b97c37978ca825557d331c9012e0c1ddc0e42364 https://git.kernel.org/stable/c/bfa9d86d39a0fe4685f90c3529aa9bd62a9d97a8 https://git.kernel.org/stable/c/bb336cd8d5ecb69c430ebe3e7bcff68471d93fa8 https://git.kernel.org/stable/c/dd292e884c649f9b1c18af0ec75ca90b390cd044 https://git.kernel.org/stable/c/934212a623cbab851848b6de377eb476718c3e4c https://git.kernel.org/stable/c/5e6013ae2c8d420faea553d363935f65badd32c3 https://git.kernel.org/stable/c/9806c2393cd2ab0a8e7bb9ffae02ce20e3112ec4 https://git.kernel.org/stable/c/996997d1fb2126feda550d6adcedcbd94911fc69 https://git.kernel.org/stable/c/3cfcfc102a5e57b021b786a755a38935e357797d
Powered by blists - more mailing lists