Linux Kernel "uname()" Kernel Memory Disclosure Weakness

Secunia ID	SA50895
CVE-ID	CVE-2012-0957
Release Date	10 Oct 2012
Last Change	31 Oct 2012
Criticality	Not Critical
Solution Status	Partial Fix
Where	Local system
Impact	Exposure of system information Vulnerabilities where excessive information about the system (e.g. version numbers, running services, installation paths, and similar) are exposed and can be revealed from remote and in some cases locally.
Description	A weakness has been reported in Linux Kernel, which can be exploited by malicious, local users to disclose potentially sensitive system information. The weakness is caused due to an error when populating the system information structure as a result of the "uname()" system call. This can be exploited to disclose some kernel stack-based memory via the UNAME26 execution domain.
Solution	Update to a fixed version if available. Linux Kernel 3.0.x: Update to version 3.0.49. Linux Kernel 3.2.x: Update to version 3.2.33. Linux Kernel 3.4.x: Update to version 3.4.16 Linux Kernel 3.5.x: No official solution is currently available.
Reported by	Reported by Brad Spengler via a patch.
Original Advisory	https://lkml.org/lkml/2012/10/9/550 http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.4.16 http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.0.49 http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.2.33

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.