Information exposure in Linux kernel platform vivid driver

1) Information exposure

EUVDB-ID: #VU92478

Risk: Low

CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2015-7884

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

Description

The vulnerability allows a local privileged user to gain access to sensitive information.

The vulnerability exists due to information exposure error within the vivid_fb_ioctl() function in drivers/media/platform/vivid/vivid-osd.c. A local privileged user can gain access to sensitive information.

Mitigation

Install update from vendor's repository.

Vulnerable software versions

Linux kernel: All versions

CPE2.3

• cpe:2.3:o:linux_foundation:linux_kernel:*:*:*:*:*:*:*:*

External links

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=eda98796aff0d9bf41094b06811f5def3b4c333c
https://lists.opensuse.org/opensuse-security-announce/2016-04/msg00015.html
https://www.openwall.com/lists/oss-security/2015/10/21/8
https://www.securityfocus.com/bid/77317
https://www.securitytracker.com/id/1034893
https://www.ubuntu.com/usn/USN-2842-1
https://www.ubuntu.com/usn/USN-2842-2
https://www.ubuntu.com/usn/USN-2843-1
https://www.ubuntu.com/usn/USN-2843-2
https://www.ubuntu.com/usn/USN-2843-3
https://bugzilla.redhat.com/show_bug.cgi?id=1274726
https://github.com/torvalds/linux/commit/eda98796aff0d9bf41094b06811f5def3b4c333c

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.