Bug 1136602 - (CVE-2019-12379) VUL-1: CVE-2019-12379: kernel-source: An issue was discovered in con_insert_unipair in drivers/tty/vt/consolemap.c in the Linux kernel through 5.1.5. There is a memory leak in a certain case of an ENOMEM outcome of kmalloc.
(CVE-2019-12379)
VUL-1: CVE-2019-12379: kernel-source: An issue was discovered in con_insert_u...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/233865/
CVSSv3:SUSE:CVE-2019-12379:3.3:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-05-28 13:49 UTC by Marcus Meissner
Modified: 2020-07-27 18:17 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-05-28 13:49:40 UTC
CVE-2019-12379

An issue was discovered in con_insert_unipair in drivers/tty/vt/consolemap.c in
the Linux kernel through 5.1.5. There is a memory leak in a certain case of an
ENOMEM outcome of kmalloc.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12379
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12379
https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git/commit/?h=tty-next&id=84ecc2f6eb1cb12e6d44818f94fa49b50f06e6ac
Comment 1 Takashi Iwai 2019-05-28 14:12:16 UTC
Seems hitting all past releases including 2.6.16.
The file location was changed (drivers/char/consolemap.c in earlier kernels), though.
Comment 3 Takashi Iwai 2019-06-19 18:40:22 UTC
The suggested fix patch was already dropped from linux-next.  And, as far as I read the code, there is no actual memory leaks.

Let's push back.
Comment 4 Jiri Slaby 2019-06-21 11:25:03 UTC
(In reply to Marcus Meissner from comment #0)
> CVE-2019-12379

The patch is pure *** (whatever). Even if it were correct, it never deserved a CVE number. Is there a way to find out who requests a CVE number?

MITRE should care a bit more...
Comment 5 Marcus Meissner 2019-07-15 08:55:37 UTC
will not fix this.