-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2013-2239 - Multiple memory leaks in OpenVZ kernel 2.6.32 (042stab080.1) Description =========== Two memory leaks was discovered in the versions before vzkernel patch 042stab080.2. One memory leak in ploop: The ploop_getdevice_ioc function in drivers/block/ploop/dev.c in the vzkernel patch before 042stab080.2 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory. One memory leak in quota: The compat_quotactl function in fs/quota/quota.c in the vzkernel patch before 042stab080.2 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory. Fixed in the 042stab080.2 - [security/ploop] memory info leak fixed (PSBM-20690) - [security/quota] memory info leak fixed (PSBM-20690) Classification ============== Location : Local Access Required Attack Type : Information Disclosure, Input Manipulation Version : vzkernel 2.6.32 (Patch 042stab080.1) Impact : Loss of Confidentiality Solution : Patch / RCS Disclosure : Vendor Verified References ========== CVE ID : CVE-2013-2239 Changelog : http://wiki.openvz.org/Download/kernel/rhel6-testing/042stab080.2 Credit : Jonathan Salwan (Sysdream Security Lab) Timeline ======== 2013-06-16 : Bugs found 2013-06-19 : Bugs reported 2013-06-28 : Bugs fixed 2013-06-29 : CVE request 2013-07-04 : CVE assigned -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) iQEcBAEBAgAGBQJR1bGVAAoJEPOJsN31NSLhNiwH/RIbZIymS4Lp+sY2qziAqVrB p1UbgPt85c5wFKIpqjmOcN1u+SSwYZ1wgAhKhcK5SaCkViOjtGSeT82klD6BIA67 PfSYyg6FaSHbTKltAGCiEGw5m28s9XrdN0SQXRGA0tq9dsZW/3mD7WlAS59DI40m DgUCaoAoiRuLyfwqh1BWo1zuNaTleIBmiyPCok7BvvCYwuzQ0qFm0o8+5R69/Wpx g86m0deqxyspEKbe4Cg8dUWQVnrTUsCmflB16N9Fozcy9zRCJR4wAE2BaBuSj6XW cYPq/XQTKVXseqIoNYGDyEAFmWdxDNGlzdelstG+JQPIXH+FLN8KSvHJwHfKBh4= =TMse -----END PGP SIGNATURE-----