Re: CVE request: kernel: two bluetooth and one ebtables infoleaks/DoSes

[Petr Matousek <pmatouse () redhat com>]

> "struct sco_conninfo has one padding byte in the end. Local variable
> cinfo of type sco_conninfo is copied to userspace with this
> uninizialized one byte, leading to old stack contents leak."
>
> https://lkml.org/lkml/2011/2/14/49

Please use CVE-2011-1078.

> "Struct ca is copied from userspace. It is not checked whether the
> "device" field is NULL terminated. This potentially leads to BUG()
> inside of alloc_netdev_mqs() and/or information leak by creating a
> device with a name made of contents of kernel stack."
>
> https://lkml.org/lkml/2011/2/14/50

Please use CVE-2011-1079.

> "Struct tmp is copied from userspace. It is not checked whether the
> "name" field is NULL terminated. This may lead to buffer overflow and
> passing contents of kernel stack as a module name to
> try_then_request_module() and, consequently, to modprobe commandline.
> It would be seen by all userspace processes."
>
> https://lkml.org/lkml/2011/2/14/51

Please use CVE-2011-1080.

Thanks you,
--
Petr Matousek / Red Hat Security Response Team