CVE-2013-2852
published 2013-06-07CVE-2013-2852: Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel…
PriorityP429medium6.9CVSS 2.0
AVLACMAuNCCICAC
EXPLOIT
EPSS
1.02%
59.1th percentile
Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | linux | < linux 3.9.8-1 (bookworm) | linux 3.9.8-1 (bookworm) |
| linux | linux_kernel | >= 0 < 3.9.8-1 | 3.9.8-1 |
| linux | linux_kernel | >= 0 < 3.9.8-1 | 3.9.8-1 |
| linux | linux_kernel | >= 0 < 3.9.8-1 | 3.9.8-1 |
| linux | linux_kernel | >= 0 < 3.9.8-1 | 3.9.8-1 |
| linux | linux_kernel | >= 2.6.12 < 3.0.83 | 3.0.83 |
| linux | linux_kernel | >= 3.1 < 3.2.47 | 3.2.47 |
| linux | linux_kernel | >= 3.3 < 3.4.50 | 3.4.50 |
| linux | linux_kernel | >= 3.5 < 3.9.7 | 3.9.7 |
CVSS provenance
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv6.9MEDIUM
vendor_ubuntu7.8HIGH
vendor_debian6.9LOW
vendor_redhat6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel (OMAP4) vulnerabilities
vendor_ubuntu·2013-08-20·CVSS 2.1
CVE-2013-2148 [LOW] Linux kernel (OMAP4) vulnerabilities
Title: Linux kernel (OMAP4) vulnerabilities
Summary: Several security issues were fixed in the kernel.
An information leak was discovered in the Linux kernel's fanotify
interface. A local user could exploit this flaw to obtain sensitive
information from kernel memory. (CVE-2013-2148)
Kees Cook discovered a format string vulnerability in the Broadcom B43
wireless driver for the Linux kernel. A local user could exploit this flaw
to gain administrative privileges. (CVE-2013-2852)
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have install
Ubuntu
Linux kernel (Raring HWE) vulnerabilities
vendor_ubuntu·2013-08-20·CVSS 7.8
CVE-2013-1059 [HIGH] Linux kernel (Raring HWE) vulnerabilities
Title: Linux kernel (Raring HWE) vulnerabilities
Summary: Several security issues were fixed in the kernel.
Chanam Park reported a Null pointer flaw in the Linux kernel's Ceph client.
A remote attacker could exploit this flaw to cause a denial of service
(system crash). (CVE-2013-1059)
An information leak was discovered in the Linux kernel's fanotify
interface. A local user could exploit this flaw to obtain sensitive
information from kernel memory. (CVE-2013-2148)
Jonathan Salwan discovered an information leak in the Linux kernel's cdrom
driver. A local user can exploit this leak to obtain sensitive information
from kernel memory if the CD-ROM drive is malfunctioning. (CVE-2013-2164)
Kees Cook discovered a format string vulnerability in the Linux kernel's
disk block layer. A local use
Ubuntu
Linux kernel (OMAP4) vulnerability
vendor_ubuntu·2013-07-30
CVE-2013-2852 Linux kernel (OMAP4) vulnerability
Title: Linux kernel (OMAP4) vulnerability
Summary: The system could be made to crash or run programs as an administrator.
Kees Cook discovered a format string vulnerability in the Broadcom B43
wireless driver for the Linux kernel. A local user could exploit this flaw
to gain administrative privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard
Ubuntu
Linux kernel vulnerability
vendor_ubuntu·2013-07-29
CVE-2013-2852 Linux kernel vulnerability
Title: Linux kernel vulnerability
Summary: The system could be made to crash or run programs as an administrator.
Kees Cook discovered a format string vulnerability in the Broadcom B43
wireless driver for the Linux kernel. A local user could exploit this flaw
to gain administrative privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel
Ubuntu
Linux kernel (Quantal HWE) vulnerability
vendor_ubuntu·2013-07-29
CVE-2013-2852 Linux kernel (Quantal HWE) vulnerability
Title: Linux kernel (Quantal HWE) vulnerability
Summary: The system could be made to crash or run programs as an administrator.
Kees Cook discovered a format string vulnerability in the Broadcom B43
wireless driver for the Linux kernel. A local user could exploit this flaw
to gain administrative privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the st
Ubuntu
Linux kernel vulnerability
vendor_ubuntu·2013-07-29·CVSS 6.9
CVE-2013-2852 [MEDIUM] Linux kernel vulnerability
Title: Linux kernel vulnerability
Summary: The system could be made to crash or run programs as an administrator.
Kees Cook discovered a format string vulnerability in the Broadcom B43
wireless driver for the Linux kernel. A local user could exploit this flaw
to gain administrative privileges. (CVE-2013-2852)
Marcus Moeller and Ken Fallon discovered that the CIFS incorrectly built
certain paths. A local attacker with access to a CIFS partition could
exploit this to crash the system, leading to a denial of service.
(CVE-2013-4247)
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall
Ubuntu
Linux kernel (EC2) vulnerabilities
vendor_ubuntu·2013-07-04·CVSS 1.9
CVE-2012-4508 [LOW] Linux kernel (EC2) vulnerabilities
Title: Linux kernel (EC2) vulnerabilities
Summary: Several security issues were fixed in the kernel.
Dmitry Monakhov reported a race condition flaw the Linux ext4 filesystem
that can expose stale data. An unprivileged user could exploit this flaw to
cause an information leak. (CVE-2012-4508)
Dave Jones discovered that the Linux kernel's socket subsystem does not
correctly ensure the keepalive action is associated with a stream socket. A
local user could exploit this flaw to cause a denial of service (system
crash) by creating a raw socket. (CVE-2012-6657)
An information leak was discovered in the Linux kernel's tkill and tgkill
system calls when used from compat processes. A local user could exploit
this flaw to examine potentially sensitive kernel memory. (CVE-2013-2141)
Kees Cook di
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2013-07-04·CVSS 1.9
CVE-2012-4508 [LOW] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the kernel.
Dmitry Monakhov reported a race condition flaw the Linux ext4 filesystem
that can expose stale data. An unprivileged user could exploit this flaw to
cause an information leak. (CVE-2012-4508)
Dave Jones discovered that the Linux kernel's socket subsystem does not
correctly ensure the keepalive action is associated with a stream socket. A
local user could exploit this flaw to cause a denial of service (system
crash) by creating a raw socket. (CVE-2012-6657)
An information leak was discovered in the Linux kernel's tkill and tgkill
system calls when used from compat processes. A local user could exploit
this flaw to examine potentially sensitive kernel memory. (CVE-2013-2141)
Kees Cook discover
Red Hat
kernel: b43: format string leaking into error msgs
vendor_redhat·2013-06-06·CVSS 6.9
CVE-2013-2852 [MEDIUM] kernel: b43: format string leaking into error msgs
kernel: b43: format string leaking into error msgs
Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message.
Statement: This issue does not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5.
This issue does affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 6, and Red Hat Enterprise MRG. Future updates for Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG may address this issue.
Package: kernel (Red Hat Enterprise Linux 5
Debian
CVE-2013-2852: linux - Format string vulnerability in the b43_request_firmware function in drivers/net/...
vendor_debian·2013·CVSS 6.9
CVE-2013-2852 [MEDIUM] CVE-2013-2852: linux - Format string vulnerability in the b43_request_firmware function in drivers/net/...
Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message.
Scope: local
bookworm: resolved (fixed in 3.9.8-1)
bullseye: resolved (fixed in 3.9.8-1)
forky: resolved (fixed in 3.9.8-1)
sid: resolved (fixed in 3.9.8-1)
trixie: resolved (fixed in 3.9.8-1)
GHSA
GHSA-jrj6-vfj7-prcf: Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main
ghsa_unreviewed·2022-05-17
CVE-2013-2852 [MEDIUM] CWE-134 GHSA-jrj6-vfj7-prcf: Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main
Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message.
Kernel
Merge branch 'wireless'
kernel_security·2013-06-12·CVSS 6.9
CVE-2013-2852 [MEDIUM] Merge branch 'wireless'
Merge branch 'wireless'
John W. Linville says:
For now I have dropped the mac80211 tree from this request.
We are developing a little backlog of fixes and I would like to
avoid introducing any more uncertainty to this pull request for the
3.10 stream. All the other bits are the same as what was in the
2013-06-06 request, including the ath9k fixes intended to address
the problems observed by Linus w/ his Pixel, and a CVE fix for a
potential security issue in the b43 driver.
Regarding the wl12xx bits, Luca says:
"Here are three patches that I'd like to get into 3.10. Two of them, by
me, are related to the firmware version checks in our driver. Without
them, the firmwares fail to load. The other one, by Eliad, fixes a typo
bug in our 5GHz scanning code."
And as for the Bluetooth bits, Gu
OSV
CVE-2013-2852: Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main
osv·2013-06-07·CVSS 6.9
CVE-2013-2852 [MEDIUM] CVE-2013-2852: Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main
Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message.
Kernel
b43: stop format string leaking into error msgs
kernel_security·2013-05-10·CVSS 6.9
CVE-2013-2852 [MEDIUM] b43: stop format string leaking into error msgs
b43: stop format string leaking into error msgs
The module parameter "fwpostfix" is userspace controllable, unfiltered,
and is used to define the firmware filename. b43_do_request_fw() populates
ctx->errors[] on error, containing the firmware filename. b43err()
parses its arguments as a format string. For systems with b43 hardware,
this could lead to a uid-0 to ring-0 escalation.
CVE-2013-2852
Signed-off-by: Kees Cook
Cc: [email protected]
Signed-off-by: John W. Linville
No detection rules found.
Bugzilla
CVE-2013-2852 kernel: b43: format string leaking into error msgs [fedora-all]
bugzilla·2013-06-07·CVSS 6.9
CVE-2013-2852 [MEDIUM] CVE-2013-2852 kernel: b43: format string leaking into error msgs [fedora-all]
CVE-2013-2852 kernel: b43: format string leaking into error msgs [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue aff
Bugzilla
CVE-2013-2852 kernel: b43: format string leaking into error msgs
bugzilla·2013-05-31·CVSS 6.9
CVE-2013-2852 [MEDIUM] CVE-2013-2852 kernel: b43: format string leaking into error msgs
CVE-2013-2852 kernel: b43: format string leaking into error msgs
The module parameter "fwpostfix" is userspace controllable, unfiltered, and is used to define the firmware filename. b43_do_request_fw() populates ctx->errors[] on error, containing the firmware filename. b43err() parses its arguments as a format string. For systems with b43 hardware, this could lead to a uid-0 to ring-0 escalation.
Acknowledgements:
Red Hat would like to thank Kees Cook for reporting this issue.
Discussion:
Statement:
This issue does not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5.
This issue does affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 6, and Red Hat Enterprise MRG. Future updates for Red Hat Enterprise Linux 6 and Red Ha
http://git.kernel.org/cgit/linux/kernel/git/linville/wireless.git/commit/?id=9538cbaab6e8b8046039b4b2eb6c9d614dc782bdhttp://lists.opensuse.org/opensuse-security-announce/2013-09/msg00003.htmlhttp://lists.opensuse.org/opensuse-updates/2013-12/msg00129.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1051.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1450.htmlhttp://www.debian.org/security/2013/dsa-2766http://www.openwall.com/lists/oss-security/2013/06/06/13http://www.ubuntu.com/usn/USN-1899-1http://www.ubuntu.com/usn/USN-1900-1http://www.ubuntu.com/usn/USN-1914-1http://www.ubuntu.com/usn/USN-1915-1http://www.ubuntu.com/usn/USN-1916-1http://www.ubuntu.com/usn/USN-1917-1http://www.ubuntu.com/usn/USN-1918-1http://www.ubuntu.com/usn/USN-1919-1http://www.ubuntu.com/usn/USN-1920-1http://www.ubuntu.com/usn/USN-1930-1https://bugzilla.redhat.com/show_bug.cgi?id=969518http://git.kernel.org/cgit/linux/kernel/git/linville/wireless.git/commit/?id=9538cbaab6e8b8046039b4b2eb6c9d614dc782bdhttp://lists.opensuse.org/opensuse-security-announce/2013-09/msg00003.htmlhttp://lists.opensuse.org/opensuse-updates/2013-12/msg00129.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1051.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1450.htmlhttp://www.debian.org/security/2013/dsa-2766http://www.openwall.com/lists/oss-security/2013/06/06/13http://www.ubuntu.com/usn/USN-1899-1http://www.ubuntu.com/usn/USN-1900-1http://www.ubuntu.com/usn/USN-1914-1http://www.ubuntu.com/usn/USN-1915-1http://www.ubuntu.com/usn/USN-1916-1http://www.ubuntu.com/usn/USN-1917-1http://www.ubuntu.com/usn/USN-1918-1http://www.ubuntu.com/usn/USN-1919-1http://www.ubuntu.com/usn/USN-1920-1http://www.ubuntu.com/usn/USN-1930-1https://bugzilla.redhat.com/show_bug.cgi?id=969518
2013-06-07
Published