Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-042: Linux Kernel "keyctl_join_session_keyring()" Denial of Service

January 21, 2009 19:00 GMT
PROBLEM: A local denial of service vulnerability has been discovered in the Linux kernel. An attacker could exploit this to cause a crash via resource exhaustion.
PLATFORM: Linux Kernel
ABSTRACT: There is a memory leak error in the "keyctl_join_session_keyring()" function in security/keys/keyctl.c. A local attacker could cause a crash by exhausting memory resources.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/ciac/bulletins/t-042.shtml
  OTHER LINKS: Secunia Website
http://secunia.com/advisories/33569 

Title:    Linux Kernel "keyctl_join_session_keyring()" Denial of Service 
(https://core.fsisac.com/?requestUrl=..%2fcontent%2fview.aspx%3fPageID%3di6015%26Id%3d461130)

Risk:    4

Summary:    A local denial of service vulnerability has been discovered in the Linux kernel.  An attacker could exploit
this to cause a crash via resource exhaustion.  A patch is available from kernel.org.


Business Impact:    Denial of service

Severity:
2 - Minimal Impact (Normal)

Urgency:
2 - Action Recommended

Credibility:
5 - Verified

Technology:    Linux Kernel

Description:    There is a memory leak error in the "keyctl_join_session_keyring()" function in security/keys/keyctl.c.  A
local attacker could cause a crash by exhausting memory resources.


Corrective Action:
A patch is available from kernel.org:

http://kernel.org/pub/linux/kernel/v2.6/snapshots/patch-2.6.29-rc2-git1.bz2 
( http://kernel.org/pub/linux/kernel/v2.6/snapshots/patch-2.6.29-rc2-git1.bz2 )


Source(s):    http://secunia.com/advisories/33569/ ( http://secunia.com/advisories/33569/ )
http://git2.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=0d54ee1c7850a954026deec4cd4885f331da35cc
( http://git2.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=0d54ee1c7850a954026deec4cd4885f331da35cc )


CVE Number:    CVE-2009-0031
DOE-CIRC wishes to acknowledge the contributions of Financial Services ISAC for the information contained in this bulletin.
DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirci@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788