Upstream information
Description
vzkernel before 042stab080.2 in the OpenVZ modification for the Linux kernel 2.6.32 does not initialize certain length variables, which allows local users to obtain sensitive information from kernel stack memory via (1) a crafted ploop driver ioctl call, related to the ploop_getdevice_ioc function in drivers/block/ploop/dev.c, or (2) a crafted quotactl system call, related to the compat_quotactl function in fs/quota/quota.c.SUSE information
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having moderate severity.
| National Vulnerability Database | |
|---|---|
| Base Score | 4.7 |
| Vector | AV:L/AC:M/Au:N/C:C/I:N/A:N |
| Access Vector | Local |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Complete |
| Integrity Impact | None |
| Availability Impact | None |
Note from the SUSE Security Team
This issue only affects the OpenVZ kernel patch. SUSE is not including the OpenVZ kernel patches in their products, so we are not affected by this problem. No SUSE Bugzilla entries cross referenced. No SUSE Security Announcements cross referenced.SUSE Timeline for this CVE
CVE page created: Tue Nov 12 18:15:05 2013CVE page last modified: Fri Oct 7 12:46:29 2022