Bug 1108154 - (CVE-2018-16948) VUL-1: CVE-2018-16948: openafs: RXAFSCB_TellMeAboutYourself leaks kernel memory and KAM_ListEntry leaks kaserver memory
(CVE-2018-16948)
VUL-1: CVE-2018-16948: openafs: RXAFSCB_TellMeAboutYourself leaks kernel memo...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Christof Hanke
Security Team bot
https://smash.suse.de/issue/214127/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-09-12 10:21 UTC by Alexander Bergmann
Modified: 2018-09-14 04:20 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2018-09-12 10:21:21 UTC
CVE-2018-16948

An issue was discovered in OpenAFS before 1.6.23 and 1.8.x before 1.8.2. Several
RPC server routines did not fully initialize their output variables before
returning, leaking memory contents from both the stack and the heap. Because the
OpenAFS cache manager functions as an Rx server for the AFSCB service, clients
are also susceptible to information leakage. For example,
RXAFSCB_TellMeAboutYourself leaks kernel memory and KAM_ListEntry leaks kaserver
memory.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16948
http://openafs.org/pages/security/OPENAFS-SA-2018-002.txt
Comment 1 Christof Hanke 2018-09-12 12:24:15 UTC
updated packages in OBS to versions 1.6.23 and 1.8.2.
1.8.2 Needs to be approved for Factory.
Comment 2 Christof Hanke 2018-09-14 04:20:27 UTC
Update accepted to Factory.