| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022616-CVE-2022-49627-ec2b@gregkh> Date: Wed, 26 Feb 2025 03:23:10 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-49627: ima: Fix potential memory leak in ima_init_crypto() Description =========== In the Linux kernel, the following vulnerability has been resolved: ima: Fix potential memory leak in ima_init_crypto() On failure to allocate the SHA1 tfm, IMA fails to initialize and exits without freeing the ima_algo_array. Add the missing kfree() for ima_algo_array to avoid the potential memory leak. The Linux kernel CVE team has assigned CVE-2022-49627 to this issue. Affected and fixed versions =========================== Issue introduced in 5.8 with commit 6d94809af6b0830c4dfcad661535a5939bcb8a7d and fixed in 5.10.132 with commit c1d9702ceb4a091da6bee380627596d1fba09274 Issue introduced in 5.8 with commit 6d94809af6b0830c4dfcad661535a5939bcb8a7d and fixed in 5.15.56 with commit 601ae26aa2802a4c10c94d7388a99eabdbefab2b Issue introduced in 5.8 with commit 6d94809af6b0830c4dfcad661535a5939bcb8a7d and fixed in 5.18.13 with commit 830de9667b3ada0a75a3f098dfc7159709fe397b Issue introduced in 5.8 with commit 6d94809af6b0830c4dfcad661535a5939bcb8a7d and fixed in 5.19 with commit 067d2521874135267e681c19d42761c601d503d6 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49627 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: security/integrity/ima/ima_crypto.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/c1d9702ceb4a091da6bee380627596d1fba09274 https://git.kernel.org/stable/c/601ae26aa2802a4c10c94d7388a99eabdbefab2b https://git.kernel.org/stable/c/830de9667b3ada0a75a3f098dfc7159709fe397b https://git.kernel.org/stable/c/067d2521874135267e681c19d42761c601d503d6
Powered by blists - more mailing lists