** Description changed: - A local user could use the missing size check in - sctp_getsockopt_assoc_stats() function to escalate their privileges. On - x86 this might be mitigated by destination object size check as the - destination size is known at compile time. + The sctp_getsockopt_assoc_stats function in net/sctp/socket.c in the + Linux kernel before 3.8.4 does not validate a size value before + proceeding to a copy_from_user operation, which allows local users to + gain privileges via a crafted application that contains an + SCTP_GET_ASSOC_STATS getsockopt system call. Break-Fix: 196d67593439b03088913227093e374235596e33 726bc6b092da4c093eb74d13c07184b18c1af0f1
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1152791 Title: CVE-2013-1828 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1152791/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
