Bugzilla – Full Text Bug Listing
|Summary:||VUL-0: CVE-2021-3736: kernel-source-rt,kernel-source,kernel-source-azure: uninitialized kernel stack may lead to information disclosure|
|Product:||[Novell Products] SUSE Security Incidents||Reporter:||Gianluca Gabrielli <gianluca.gabrielli>|
|Component:||Incidents||Assignee:||Kernel Bugs <kernel-bugs>|
|Status:||RESOLVED WONTFIX||QA Contact:||Security Team bot <security-team>|
|Priority:||P3 - Medium||CC:||bpetkov, smash_bz, tiwai|
|Found By:||Security Response Team||Services Priority:|
|Marketing QA Status:||---||IT Deployment:||---|
Description Gianluca Gabrielli 2021-11-04 13:14:28 UTC
Comment 1 Gianluca Gabrielli 2021-11-04 13:16:28 UTC
Technical details are not yet made public, I will monitor it and post updates as soon as possible.
Comment 2 Gianluca Gabrielli 2021-11-09 10:57:41 UTC
I think the fixing commit should be de5494af4815a4c9328536c72741229b7de88e7f, which in turn addresses 681c1615f8914451cfd432ad30e2f307b6490542. If my assumption is correct, the branches containing the offended commit are: - SLE15-SP4 - stable which also contains the fixing commit. @kernel-team: can you also provide your feedback here? Thanks
Comment 3 Takashi Iwai 2021-11-09 11:04:02 UTC
Too little information to judge, but that's the only change seen in the relevant code path, and the description matches with it, so it's very likely the case.
Comment 4 Gianluca Gabrielli 2021-11-30 13:27:18 UTC
(In reply to Takashi Iwai from comment #3) > Too little information to judge, but that's the only change seen in the > relevant code path, and the description matches with it, so it's very likely > the case. From RH  they agree about the fixing commit.  https://bugzilla.redhat.com/show_bug.cgi?id=1995570#c7
Comment 5 Borislav Petkov 2021-12-03 08:51:38 UTC
Wait a minute - this is a fix for code in samples/ which is toy stuff and we have in the three latest branches I checked # CONFIG_SAMPLES is not set so why do we even bother with this?
Comment 6 Gianluca Gabrielli 2021-12-03 09:09:06 UTC
(In reply to Borislav Petkov from comment #5) > Wait a minute - this is a fix for code in samples/ which is toy stuff and we > have in the three latest branches I checked > > # CONFIG_SAMPLES is not set > > so why do we even bother with this? You are right, CONFIG_SAMPLES is not set both for SLES and openSUSE configs. I agree with you and we can close this issue as WONTFIX. Thanks for your feedback.