Linux Kernel dm-crypt Fails to Clear Key Storage
|
|
SecurityTracker Alert ID: 1015740
|
|
SecurityTracker URL: http://securitytracker.com/id?1015740
|
|
CVE Reference: CVE-2006-0095
(Links to External Site)
|
Date: Mar 8 2006
|
Impact: Disclosure of authentication information, Disclosure of system information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 2.6.15 and prior versions
|
Description: A vulnerability was reported in dm-crypt in the Linux kernel. A local user can obtain information about cryptographic keys.
The dm-crypt component does not properly clear the crypt_config structure before freeing the structure, which may allow a local user to obtain cryptographic keys.
|
Impact: A local user can obtain information about cryptographic keys.
|
Solution: The vendor has issued a fixed version (2.6.16-rc1).
|
Vendor URL: www.kernel.org/ (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: Linux (Caldera/SCO), Linux (Conectiva), Linux (Debian), Linux (EnGarde), Linux (Gentoo), Linux (HP Secure OS), Linux (Immunix), Linux (Mandriva/Mandrake), Linux (Progeny Debian), Linux (Red Hat Enterprise), Linux (Red Hat Fedora), Linux (Red Hat Linux), Linux (SGI), Linux (Slackware), Linux (Sun), Linux (SuSE), Linux (Trustix), Linux (Turbo Linux), Linux (Ubuntu), Linux (Xandros)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 7 Mar 2006 15:50:43 -0500
Subject: Linux kernel dm-crypt vulnerability
|
CVE-2006-0095:
dm-crypt in Linux kernel 2.6.15 and earlier does not clear a structure before it is
freed, which leads to a memory disclosure that could allow local users to obtain
sensitive information about a cryptographic key.
|
|
