All of lore.kernel.org
 help / color / mirror / Atom feed
* [cip-dev] New CVE entry this week
@ 2021-09-09  2:39 Masami Ichikawa
  2021-09-09  6:41 ` Pavel Machek
       [not found] ` <CAMLqsBZCbrdOaxhuc81kvZsinS+_bFPp2tpmuVnczC1EXCA3Zg@mail.gmail.com>
  0 siblings, 2 replies; 26+ messages in thread
From: Masami Ichikawa @ 2021-09-09  2:39 UTC (permalink / raw)
  To: cip-dev

[-- Attachment #1: Type: text/plain, Size: 8073 bytes --]

Hi !

It's this week's CVE report.

This week reported 3 new CVEs. These CVEs have been fixed in mainline
and some stable kernels.

* New CVEs

CVE-2021-3715: kernel: use-after-free in route4_change() in
net/sched/cls_route.c

This vulnerability was introduced in 3.18-rc1 and fixed in 5.6.
Therefore 5.6 or later kernels aren't affect this vulnerability.

Fixed status

cip/4.19: [ea3d6652c240978736a91b9e85fde9fee9359be4]
cip/4.19-rt: [ea3d6652c240978736a91b9e85fde9fee9359be4]
cip/4.4: [7518af6464b47a0d775173570c3d25f699da2a5e]
cip/4.4-rt: [7518af6464b47a0d775173570c3d25f699da2a5e]
mainline: [ef299cc3fa1a9e1288665a9fdc8bff55629fd359]
stable/4.14: [f0c92f59cf528bc1b872f2ca91b01e128a2af3e6]
stable/4.19: [ea3d6652c240978736a91b9e85fde9fee9359be4]
stable/4.4: [7518af6464b47a0d775173570c3d25f699da2a5e]
stable/4.9: [97a8e7afaee8fc4f08662cf8e4f495b87874aa91]
stable/5.4: [ff28c6195814bdbd4038b08d39e40f8d65d2025e]

CVE-2021-3759: memcg: charge semaphores and sem_undo objects

This causes DoS attack. Patch was merged into mainline this week.

for 4.19, it needs modify or apply following patches to apply commit
18319498fdd4.

4a2ae92993be24ba727faa733e99d7980d389ec0: ipc/sem.c: replace
kvmalloc/memset with kvzalloc and use struct_size
bc8136a543aa839a848b49af5e101ac6de5f6b27: ipc: use kmalloc for
msg_queue and shmid_kernel
fc37a3b8b4388e73e8e3525556d9f1feeb232bb9: ipc sem: use kvmalloc for
sem_undo allocation

for 4.4, need to modify the patch.

Fixed status

mainline: [18319498fdd4cdf8c1c2c48cd432863b1f915d6f]

CVE-2021-40490: A race condition was discovered in
ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem
in the Linux kernel through 5.13.13.

Commit a54c4613dac1 fixes f19d5870cbf72d4cb2a8e1f749dff97af99b071e
which has been merged into 3.8-rc1.

Fixed status

mainline: [a54c4613dac1500b40e4ab55199f7c51f028e848]
stable/5.10: [09a379549620f122de3aa4e65df9329976e4cdf5]
stable/5.13: [c764e8fa4491da66780fcb30a0d43bfd3fccd12c]
stable/5.14: [f8ea208b3fbbc0546d71b47e8abaf98b0961dec1]

* Updated CVEs

CVE-2021-3542: media: firewire: firedtv-avc: fix a buffer overflow in
avc_ca_pmt()

Patch has been sent to linux-media list
(https://lore.kernel.org/linux-media/20210816072721.GA10534@kili/).
btw, no cip member enables DVB_FIREDTV.

Fixed status

Not fixed in mainline yet.

CVE-2021-3640: UAF in sco_send_frame function

According to the SUSE
bugzilla(https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=99c23da0eed4fd20cae8243f2b51e10e66aa0951
), patch has been merged into bluetooth-next tree as of 2021/09/03.

Fixed status

Not fixed in mainline yet.


CVE-2021-3739: btrfs: fix NULL pointer dereference when deleting
device by invalid id

This vulnerability is not affected before 4.20-rc1.

Fixed status

mainline: [e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091]
stable/5.10: [c43add24dffdbac269d5610465ced70cfc1bad9e]
stable/5.13: [301aabe0239f227818622096be7e180fcdbedf80]
stable/5.14: [734dabfb6918d399024063c9db9093a83f804ce5]
stable/5.4: [d7f7eca72ecc08f0bb6897fda2290293fca63068]


CVE-2021-3753: vt_kdsetmode: extend console locking

A out-of-bounds caused by the race of KDSETMODE in VT.

Fixed status

mainline: [2287a51ba822384834dafc1c798453375d1107c7]
stable/4.14: [3f488313d96fc6512a4a0fe3ed56cce92cbeec94]
stable/4.19: [0776c1a20babb4ad0b7ce7f2f4e0806a97663187]
stable/4.4: [01da584f08cbb1e04f22796cc49b10d570cd5ec1]
stable/4.9: [755a2f40dda2d6b2e3b8624cb052e68947ee4d1f]
stable/5.10: [60d69cb4e60de0067e5d8aecacd86dfe92a5384a]
stable/5.13: [a5dfcf3d8ecc549f8dc324ab6caf9dd14de87986]
stable/5.14: [acf3c7b4fae092e7f5c170bc8a0fe2ead9b2a320]
stable/5.4: [f4418015201bdca0cd4e28b363d88096206e4ad0]


CVE-2021-3743: out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c

The Qualcomm's IPC router protocol(qrtr) has been introduced since
4.15-rc1 so before 4.15 kernels aren't affected.

Fixed status

mainline: [7e78c597c3ebfd0cb329aa09a838734147e4f117]
stable/4.19: [ce7d8be2eaa4cab3032e256d154d1c33843d2367]
stable/5.10: [ad41706c771a038e9a334fa55216abd69b32bfdf]
stable/5.13: [d6060df9b53ab8098c954aac9acbacef6915e42a]
stable/5.4: [a6b049aeefa880a8bd7b1ae3a8804bda1e8b077e]

CVE-2021-38198: KVM: X86: MMU: Use the correct inherited permissions
to get shadow page

4.14 has been fixed this week.

mainline: [b1bd5cba3306691c771d558e94baa73e8b0b96b7]
stable/4.14: [cea9e8ee3b8059bd2b36d68f1f428d165e5d13ce]
stable/4.19: [4c07e70141eebd3db64297515a427deea4822957]
stable/5.10: [6b6ff4d1f349cb35a7c7d2057819af1b14f80437]
stable/5.4: [d28adaabbbf4a6949d0f6f71daca6744979174e2]

CVE-2021-3444: bpf: Fix truncation handling for mod32 dst reg wrt zero

The vulnerability has been introduced since 4.15-rc9. 4.4 is not affected.
4.19 has been fixed in this week.

Fixed status

mainline: [9b00f1b78809309163dda2d044d9e94a3c0248a3]
stable/4.19: [39f74b7c81cca139c05757d9c8f9d1e35fbbf56b]
stable/5.10: [3320bae8c115863b6f17993c2b7970f7f419da57]
stable/5.11: [55c262ea5d0f754648cd25aa73de081adaab07d9]
stable/5.4: [185c2266c1df80bec001c987d64cae2d9cd13816]

CVE-2021-3600: eBPF 32-bit source register truncation on div/mod

The vulnerability has been introduced since 4.15-rc9. 4.4 is not affected.
4.19 has been fixed in this week.We have been tracking this
vulnerability since Aug to watch 4.19 to be fixed, and now it is
finally fixed.

Fixed status

mainline: [e88b2c6e5a4d9ce30d75391e4d950da74bb2bd90]
stable/4.19: [1d16cc210fabd0a7ebf52d3025f81c2bde054a90]
stable/5.10: [1d16cc210fabd0a7ebf52d3025f81c2bde054a90]
stable/5.4: [78e2f71b89b22222583f74803d14f3d90cdf9d12]

CVE-2021-3655: missing size validations on inbound SCTP packets

cip/4.4, cip/4.19, cip/4.4-rt, cip/4.19-rt, stable/4.14, and
stable/5.4 have been fixed this week.

Fixed status

  mainline: [0c5dc070ff3d6246d22ddd931f23a6266249e3db,
50619dbf8db77e98d821d615af4f634d08e22698,
    b6ffe7671b24689c09faa5675dd58f93758a97ae,
ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9]
  stable/4.19: [c7a03ebace4f9cd40d9cd9dd5fb2af558025583c,
dd16e38e1531258d332b0fc7c247367f60c6c381]
  cip/4.19: [c7a03ebace4f9cd40d9cd9dd5fb2af558025583c,
dd16e38e1531258d332b0fc7c247367f60c6c381]
  cip/4.19-rt: [c7a03ebace4f9cd40d9cd9dd5fb2af558025583c,
dd16e38e1531258d332b0fc7c247367f60c6c381]
  stable/4.4: [48cd035cad5b5fad0648aa8294c4223bedb166dd]
  cip/4.4: [48cd035cad5b5fad0648aa8294c4223bedb166dd]
  cip/4.4-rt: [48cd035cad5b5fad0648aa8294c4223bedb166dd]
  stable/4.9: [c7da1d1ed43a6c2bece0d287e2415adf2868697e]
  stable/5.10: [d4dbef7046e24669278eba4455e9e8053ead6ba0,
6ef81a5c0e22233e13c748e813c54d3bf0145782]
  stable/4.14: [f01bfaea62d14938ff2fbeaf67f0afec2ec64ab9,
d890768c1ed6688ca5cd54ee37a69d90ea8c422f]
  stable/5.4: [03a5e454614dc095a70d88c85ac45ba799c79971,
a01745edc1c95ff53e261c493f15bb43b1338003]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2021-3640: UAF in sco_send_frame function

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

There is no fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Other topics.

About cve.mitre.org

CVE Website Transitioning to New Web Address – “CVE.ORG”
https://cve.mitre.org/news/archives/2021/news.html#September022021_CVE_Website_Transitioning_to_New_Web_Address_-_CVE.ORG

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6719): https://lists.cip-project.org/g/cip-dev/message/6719
Mute This Topic: https://lists.cip-project.org/mt/85476557/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 26+ messages in thread
* New CVE entry this week
@ 2021-10-21  1:21 Masami Ichikawa
  2021-10-21  8:41 ` [cip-dev] " nobuhiro1.iwamatsu
  0 siblings, 1 reply; 26+ messages in thread
From: Masami Ichikawa @ 2021-10-21  1:21 UTC (permalink / raw)
  To: cip-dev

[-- Attachment #1: Type: text/plain, Size: 7968 bytes --]

Hi !

It's this week's CVE report.

This week reported 7 new CVEs.

* New CVEs

CVE-2021-20320: kernel: s390 eBPF JIT miscompilation issues fixes.

This bug is in BPF subsystem and s390 architecture specific. Patches
haven't been backported to 4.4 kernel. However, according to the
cip-kernel-config, it looks like no one uses s390, so can it ignore it
until someone backport patches?

CVSS v3 score is not provided.

Fixed status

mainline: [db7bee653859ef7179be933e7d1384644f795f26,
6e61dc9da0b7a0d91d57c2e20b5ea4fd2d4e7e53,
  1511df6f5e9ef32826f20db2ee81f8527154dc14]
stable/4.19: [ddf58efd05b5d16d86ea4638675e8bd397320930]
stable/4.9: [c22cf38428cb910f1996839c917e9238d2e44d4b,
8a09222a512bf7b32e55bb89a033e08522798299]
stable/5.10: [d92d3a9c2b6541f29f800fc2bd44620578b8f8a6,
4320c222c2ffe778a8aff5b8bc4ac33af6d54eba,
  ab7cf225016159bc2c3590be6fa12965565d903b]
stable/5.14: [7a31ec4d215a800b504de74b248795f8be666f8e,
6a8787093b04057d855822094d63d04a2506444a,
  a7593244dc31ad0eea70319f6110975f9c738dca]

CVE-2021-20321: kernel: In Overlayfs missing a check for a negative
dentry before calling vfs_rename()

CVSS v3 score is not provided.

A local attacker can escalate their privileges up to root via
overlayfs vulnerability.
Patch for 4.4 is applied
failed(https://lore.kernel.org/stable/163378772914820@kroah.com/). It
needs to modify the patch. I attached a patch, if it looks good, I'll
send it to the stable mailing list.

Fixed status

mainline: [a295aef603e109a47af355477326bd41151765b6]
stable/4.14: [1caaa820915d802328bc72e4de0d5b1629eab5da]
stable/4.19: [9d4969d8b5073d02059bae3f1b8d9a20cf023c55]
stable/4.9: [286f94453fb34f7bd6b696861c89f9a13f498721]
stable/5.10: [9763ffd4da217adfcbdcd519e9f434dfa3952fc3]
stable/5.14: [71b8b36187af58f9e67b25021f5debbc04a18a5d]
stable/5.4: [fab338f33c25c4816ca0b2d83a04a0097c2c4aaf]

CVE-2021-3847: low-privileged user privileges escalation

CVSS v3 score is not provided.

A Local attacker can escalate their privileges up to root by overlay
fs's vulnerability
(https://www.openwall.com/lists/oss-security/2021/10/14/3).

Fixed status

Not fixed yet.

CVE-2021-42252: soc: aspeed: lpc-ctrl: Fix boundary check for mmap

CVSS v3 score is not provided.

This bug has been introduced since 4.12-rc1. so all stable kernels are fixed.

Fixed status

mainline: [b49a0e69a7b1a68c8d3f64097d06dabb770fec96]
stable/4.14: [b1b55e4073d3da6119ecc41636a2994b67a2be37]
stable/4.19: [9c8891b638319ddba9cfa330247922cd960c95b0]
stable/5.10: [3fdf2feb6cbe76c6867224ed8527b356e805352c]
stable/5.14: [865f5ba9fdfc3ac6acabcac9630056ce99db600d]
stable/5.4: [2712f29c44f18db826c7e093915a727b6f3a20e4]

CVE-2021-20322: new DNS Cache Poisoning Attack based on ICMP fragment
needed packets replies

CVSS v3 score is not provided.

A flaw in the processing of the received ICMP errors (ICMP fragment
needed and ICMP redirect) in the Linux kernel functionality was found
that allows to quickly scan open UDP ports. This flaw allows an
off-path remote user to effectively bypassing source port UDP
randomization.
This flaw is similar to the previous CVE-2020-25705 (both DNS
poisoning attack based on ICMP replies for open ports scanning, but
other type of ICMP packets).

Commit 4785305c ("ipv6: use siphash in rt6_exception_hash()") fixes
35732d01 ("ipv6: introduce a hash table to store dst cache") which was
merged in 4.15-rc1.
stable/4.4 doesn't contain upstream commit 35732d01. stable/4.19
contains upstream commit 35732d01.

Commit 6457378f ("ipv4: use siphash instead of Jenkins in
fnhe_hashfun()") fixes d546c621 ("ipv4: harden fnhe_hashfun()") which
was merged in 3.18-rc1
stable/4.4 and stable/4.19 contain upstream commit d546c621.

Commit a00df2ca ("ipv6: make exception cache less predictible") fixes
35732d01 ("ipv6: introduce a hash table to store dst cache") which was
merged in 4.15-rc1.
stable/4.4 doesn't contain upstream commit 35732d01. stable/4.19
contains upstream commit 35732d01.

Commit 67d6d681 ("ipv4: make exception cache less predictible") fixes
4895c771 ("ipv4: Add FIB nexthop exceptions.") which was merged in
3.6-rc1.
stable/4.19 applied this patch at commit 3e6bd2b5. stable/4.4 applied
this patch at commit bed8941f.

Fixed status

mainline: [4785305c05b25a242e5314cc821f54ade4c18810,
6457378fe796815c973f631a1904e147d6ee33b1,
  a00df2caffed3883c341d5685f830434312e4a43,
67d6d681e15b578c1725bad8ad079e05d1c48a8e]
stable/4.19: [3e6bd2b583f18da9856fc9741ffa200a74a52cba]
stable/4.4: [bed8941fbdb72a61f6348c4deb0db69c4de87aca]
stable/4.9: [f10ce783bcc4d8ea454563a7d56ae781640e7dcb]
stable/5.10: [8692f0bb29927d13a871b198adff1d336a8d2d00,
5867e20e1808acd0c832ddea2587e5ee49813874,
  dced8347a727528b388f04820f48166f1e651af6,
beefd5f0c63a31a83bc5a99e6888af884745684b]
stable/5.14: [4785305c05b25a242e5314cc821f54ade4c18810,
6457378fe796815c973f631a1904e147d6ee33b1,
  55938482a1461a35087c6f3051f8447662889ea8,
4589a12dcf80af31137ef202be1ff4a321707a73]

CVE-2021-42739: A buffer overflow bug is found in the firewire subsystem

CVSS v3 score is not provided.

Patches have been sent to Linux Media mailing list but it hasn't been
merged in linux-media tree nor mainline yet. According to the
cip-kernel-config repo, no CIP member uses firewire driver.

Fixed status

Not fixed yet.

CVE-2021-34866: Linux Kernel eBPF Type Confusion Privilege Escalation
Vulnerability

CVSS v3 score is not provided.

A type confusion bug is found in eBPF subsystem which can leads a
local attacker escalates their privileges via this bug.
This bug was introduced in commit 457f44363a88 ("bpf: Implement BPF
ring buffer and verifier support for it") that has been merged since
5.8-rc1. so before 5.8 kernels aren't affected by this CVE.

Fixed status

mainline: [5b029a32cfe4600f5e10e36b41778506b90fd4de]
stable/5.10: [9dd6f6d89693d8f09af53d2488afad22a8a44a57]

* Updated CVEs

CVE-2020-29374: gup: document and work around "COW can break either way" issue

This bug has been fixed since 5.8-rc1. 4.4 and 4.9 have been fixed this week.
All stable kernels are fixed.

Fixed status

mainline: [17839856fd588f4ab6b789f482ed3ffd7c403e1f]
stable/4.14: [407faed92b4a4e2ad900d61ea3831dd597640f29]
stable/4.19: [5e24029791e809d641e9ea46a1f99806484e53fc]
stable/4.4: [58facc9c7ae307be5ecffc1697552550fedb55bd]
stable/4.9: [9bbd42e79720122334226afad9ddcac1c3e6d373]
stable/5.4: [1027dc04f557328eb7b7b7eea48698377a959157]

CVE-2021-41864: bpf: Fix integer overflow in prealloc_elems_and_freelist()

4.9 and 4.19 have been fixed this week. This bug was introduced in
4.6-rc1 therefore 4.4 doesn't affect.
All stable kernels are fixed.

Fixed status

mainline: [30e29a9a2bc6a4888335a6ede968b75cd329657a]
stable/4.14: [f34bcd10c4832d491049905d25ea3f46a410c426]
stable/4.19: [078cdd572408176a3900a6eb5a403db0da22f8e0]
stable/4.9: [4fd6663eb01bc3c73143cd27fefd7b8351bc6aa6]
stable/5.10: [064faa8e8a9b50f5010c5aa5740e06d477677a89]
stable/5.14: [3a1ac1e368bedae2777d9a7cfdc65df4859f7e71]
stable/5.4: [b14f28126c51533bb329379f65de5b0dd689b13a]


Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2021-3640: UAF in sco_send_frame function

Fixed in bluetooth-next tree.

https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/net/bluetooth/sco.c?id=99c23da0eed4fd20cae8243f2b51e10e66aa0951

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: 0001-ovl-fix-missing-negative-dentry-check-in-ovl_rename.patch --]
[-- Type: text/x-patch, Size: 1913 bytes --]

From 1e43a0933de1ab853f171de45a17b5f9c43b110e Mon Sep 17 00:00:00 2001
From: Zheng Liang <zhengliang6@huawei.com>
Date: Fri, 24 Sep 2021 09:16:27 +0800
Subject: [PATCH] ovl: fix missing negative dentry check in ovl_rename()

From: Zheng Liang <zhengliang6@huawei.com>

commit a295aef603e109a47af355477326bd41151765b6 upstream.

The following reproducer

  mkdir lower upper work merge
  touch lower/old
  touch lower/new
  mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work merge
  rm merge/new
  mv merge/old merge/new & unlink upper/new

may result in this race:

PROCESS A:
  rename("merge/old", "merge/new");
  overwrite=true,ovl_lower_positive(old)=true,
  ovl_dentry_is_whiteout(new)=true -> flags |= RENAME_EXCHANGE

PROCESS B:
  unlink("upper/new");

PROCESS A:
  lookup newdentry in new_upperdir
  call vfs_rename() with negative newdentry and RENAME_EXCHANGE

Fix by adding the missing check for negative newdentry.

Signed-off-by: Zheng Liang <zhengliang6@huawei.com>
Fixes: e9be9d5e76e3 ("overlay filesystem")
Cc: <stable@vger.kernel.org> # v3.18
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Reference: CVE-2021-20321
Signed-off-by: Masami Ichikawa(CIP) <masami.ichikawa@cybertrust.co.jp>
---
 fs/overlayfs/dir.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
index eedacae889b9..80bf0ab52e81 100644
--- a/fs/overlayfs/dir.c
+++ b/fs/overlayfs/dir.c
@@ -824,9 +824,13 @@ static int ovl_rename2(struct inode *olddir, struct dentry *old,
 		}
 	} else {
 		new_create = true;
-		if (!d_is_negative(newdentry) &&
-		    (!new_opaque || !ovl_is_whiteout(newdentry)))
-			goto out_dput;
+		if (!d_is_negative(newdentry)) {
+			if (!new_opaque || !ovl_is_whiteout(newdentry))
+				goto out_dput;
+		} else {
+			if (flags & RENAME_EXCHANGE)
+				goto out_dput;
+		}
 	}
 
 	if (olddentry == trap)
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 26+ messages in thread
* [cip-dev] New CVE entry this week
@ 2021-10-13 23:54 ` Masami Ichikawa
  2021-10-14  6:55     ` Pavel Machek
  0 siblings, 1 reply; 26+ messages in thread
From: Masami Ichikawa @ 2021-10-13 23:54 UTC (permalink / raw)
  To: cip-dev

[-- Attachment #1: Type: text/plain, Size: 5787 bytes --]

Hi !

It's this week's CVE report.

This week reported 4 new CVEs.

* New CVEs

CVE-2021-0935: bug is in ipv6 and l2tp code.

This CVE addresses two commits, one in the ipv6 stack and the other in l2tp.
There is two introduced commits one is 85cb73f ("net: ipv6: reset
daddr and dport in sk if connect() fails") was merged in 4.12 and the
other commit 3557baa ("[L2TP]: PPP over L2TP driver core") was merged
in 2.6.23-rc1.

Fixed commits have been merged since 4.16-rc7 so 4.16 or later kernels
don't affect this vulnerability.

Commit 2f987a76("net: ipv6: keep sk status consistent after datagram
connect failure") fixes 85cb73f and commit b954f940("l2tp: fix races
with ipv4-mapped ipv6 addresses") fixes commit 3557baa.

To apply patches to 4.4, it needs to fix conflicts.

CVSS v3 score is not provided.

Fixed status

mainline: [2f987a76a97773beafbc615b9c4d8fe79129a7f4,
b954f94023dcc61388c8384f0f14eb8e42c863c5]
stable/4.14: [a8f02befc87d6f1a882c9b14a31bcfa1fbd3d430,
b0850604cc5dac60754cc2fcdf7d2ca97a68a4dc]
stable/4.19: [2f987a76a97773beafbc615b9c4d8fe79129a7f4,
b954f94023dcc61388c8384f0f14eb8e42c863c5]
stable/4.4: not fixed yet
stable/4.9: [c49f30b2979bfc8701620e598558f29a48e07234,
535ef684ec6079bccc2037c76bc607d29dca05dc]
stable/5.10: [2f987a76a97773beafbc615b9c4d8fe79129a7f4,
b954f94023dcc61388c8384f0f14eb8e42c863c5]
stable/5.4: [2f987a76a97773beafbc615b9c4d8fe79129a7f4,
b954f94023dcc61388c8384f0f14eb8e42c863c5]

CVE-2021-0937: netfilter: x_tables: fix compat match/target pad
out-of-bound write

This vulnerability was introduced since 4.6.19-rc1 and fixed in
5.12-rc8. All stable kernels are already fixed.

CVSS v3 score is not provided.

Fixed status

mainline: [b29c457a6511435960115c0f548c4360d5f4801d]
stable/4.14: [522a0191944e3db9c30ade5fa6b6ec0d7c42f40d]
stable/4.19: [12ec80252edefff00809d473a47e5f89c7485499]
stable/4.4: [b0d98b2193a38ef93c92e5e1953d134d0f426531]
stable/4.9: [0c58c9f9c5c5326320bbe0429a0f45fc1b92024b]
stable/5.10: [1f3b9000cb44318b0de40a0f495a5a708cd9be6e]
stable/5.4: [cc59b872f2e1995b8cc819b9445c1198bfe83b2d]


CVE-2021-0938: compiler.h: fix barrier_data() on clang

This bug was introduced in 4.19-rc1 and fixed in 5.10-rc4. so all
stable kernels are fixed.
If kernel was built from clang, this bug will be affected.

CVSS v3 score is not provided.

Fixed status

mainline: [3347acc6fcd4ee71ad18a9ff9d9dac176b517329]
stable/4.14: not affect
stable/4.19: [b207caff4176e3a6ba273243da2db2e595e4aad2]
stable/4.4: not affect
stable/4.9: not affect
stable/5.10: not affect
stable/5.4: [c2c5dc84ac51da90cadcb12554c69bdd5ac7aeeb]

CVE-2021-0941: bpf: Remove MTU check in __bpf_skb_max_len

CVSS v3 score is not provided.

This bug is fixed in v5.12-rc1-dontuse. The kernel 4.4 doesn't contain
__bpf_skb_max_len() so 4.4 may not affect this vulnerability. The
__bpf_skb_max_len() was introduced since 4.13-rc1 commit
2be7e212("bpf: add bpf_skb_adjust_room helper
").

Fixed status.

mainline: [6306c1189e77a513bf02720450bb43bd4ba5d8ae]
stable/4.14: [64cf6c3156a5cbd9c29f54370b801b336d2f7894]
stable/4.19: [8c1a77ae15ce70a72f26f4bb83c50f769011220c]
stable/4.4: not affect
stable/4.9: [1636af9e8a8840f5696ad2c01130832411986af4]
stable/5.10: [fd38d4e6757b6b99f60314f67f44a286f0ab7fc0]
stable/5.4: [42c83e3bca434d9f63c58f9cbf2881e635679fee]

* Updated CVEs

CVE-2021-3744: crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()
CVE-2021-3764: DoS in ccp_run_aes_gcm_cmd() function

CVE-2021-3744 and CVE-2021-3764 are fixed by commit 505d9dcb("crypto:
ccp - fix resource leaks in ccp_run_aes_gcm_cmd()
"). Both vulnerabilities were in ccp_run_aes_gcm_cmd() which has been
introduced since 4.12-rc1. Therefore before 4.12 kernels aren't
affected this vulnerability.

Fixed status

mainline: [505d9dcb0f7ddf9d075e729523a33d38642ae680]
stable/4.14: [3707e37b3fcef4d5e9a81b9c2c48ba7248051c2a]
stable/4.19: [710be7c42d2f724869e5b18b21998ceddaffc4a9]
stable/4.4: not affect
stable/4.9: not affect
stable/5.10: [17ccc64e4fa5d3673528474bfeda814d95dc600a]
stable/5.14: [e450c422aa233e9f80515f2ee9164e33f158a472]
stable/5.4: [24f3d2609114f1e1f6b487b511ce5fa36f21e0ae]

CVE-2021-41864: bpf: Fix integer overflow in prealloc_elems_and_freelist()

This bug was introduced in 4.6-rc1 so that 4.4 isn't affected this bug.
4.19, 5.10, 5.14, and 5.4 have been fixed this week.
Patch to 4.14 can be applied by git am without any modification. Patch
to 4.9 can be applied by 3-way merge.

Fixed status

mainline: [30e29a9a2bc6a4888335a6ede968b75cd329657a]
stable/4.14: not fixed yet
stable/4.19: [078cdd572408176a3900a6eb5a403db0da22f8e0]
stable/4.4: not affect
stable/4.14: not fixed yet
stable/5.10: [064faa8e8a9b50f5010c5aa5740e06d477677a89]
stable/5.14: [3a1ac1e368bedae2777d9a7cfdc65df4859f7e71]
stable/5.4: [b14f28126c51533bb329379f65de5b0dd689b13a]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2021-3640: UAF in sco_send_frame function

Fixed in bluetooth-next tree.

https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/net/bluetooth/sco.c?id=99c23da0eed4fd20cae8243f2b51e10e66aa0951

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6822): https://lists.cip-project.org/g/cip-dev/message/6822
Mute This Topic: https://lists.cip-project.org/mt/86301612/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 26+ messages in thread
* [cip-dev] New CVE entry this week
@ 2021-10-07  0:59 ` Masami Ichikawa
  2021-10-07  7:30     ` Pavel Machek
  0 siblings, 1 reply; 26+ messages in thread
From: Masami Ichikawa @ 2021-10-07  0:59 UTC (permalink / raw)
  To: cip-dev

[-- Attachment #1: Type: text/plain, Size: 3957 bytes --]

Hi !

It's this week's CVE report.

This week reported  new CVEs.

* New CVEs

CVE-2021-41864: bpf: Fix integer overflow in prealloc_elems_and_freelist()

CVSS v3 score is not provided.

Patch 30e29a9a2bc6 (bpf: Fix integer overflow in prealloc_elems_and_freelist()
) fixes commit 557c0c6e7df8 ("bpf: convert stackmap to
pre-allocation") which has been introduced in 4.6-rc1. Therefore 4.4
kernel isn't affected this issue.

For 4.19 and 5.4, patch can be applied by "git am". For 4.9, patch can
be applied by "git am -3".

Fixed status

Fix patch has been merged into bpf tree, but not in the mainline yet.

CVE-2021-42008: net: 6pack: fix slab-out-of-bounds in decode_data

The 6pack module has slab out-of-bounds vulnerability in decode_data()
which allow local attacker can gain their privileges.
This bug has been fixed since 5.14-rc7. All stable kernels have
already been fixed.

Fixed status

cip/4.19: [4e370cc081a78ee23528311ca58fd98a06768ec7]
cip/4.19-rt: [4e370cc081a78ee23528311ca58fd98a06768ec7]
cip/4.4: [d66736076bd84742c18397785476e9a84d5b54ef]
cip/4.4-rt: [d66736076bd84742c18397785476e9a84d5b54ef]
mainline: [19d1532a187669ce86d5a2696eb7275310070793]
stable/4.14: [5e0e782874ad03ae6d47d3e55aff378da0b51104]
stable/4.19: [4e370cc081a78ee23528311ca58fd98a06768ec7]
stable/4.4: [d66736076bd84742c18397785476e9a84d5b54ef]
stable/4.9: [de9171c1d9a5c2c4c5ec5e64f420681f178152fa]
stable/5.10: [85e0518f181a0ff060f5543d2655fb841a83d653]
stable/5.4: [a73b9aa142691c2ae313980a8734997a78f74b22]

* Updated CVEs

CVE-2019-19449: mounting a crafted f2fs filesystem image can lead to
slab-out-of-bounds read access in f2fs_build_segment_manager in
fs/f2fs/segment.c

This patch has been merged since 5.10-rc1.
For 5.4, patch can be applied via git-am. For 4.4 and 4.19, patch can
be applied via git-am with -3 option.

Fixed status

mainline: [3a22e9ac71585bcb7667e44641f1bbb25295f0ce]
stable/5.10: [3a22e9ac71585bcb7667e44641f1bbb25295f0ce]

CVE-2021-37159: net: hso: do not call unregister if not registered

4.14, 4.19, and 5.4 have been fixed. 4.4 and 4.9 haven't been fixed
yet. However, patch can be applied to 4.4 and 4.9 without any
modification. According to cip-kernel-config, no CIP member use HSO
module.

Fixed status

mainline: [a6ecfb39ba9d7316057cea823b196b734f6b18ca]
stable/4.14: [4c0db9c4b3701c29f47bac0721e2f7d2b15d8edb]
stable/4.19: [f6cf22a1ef49f8e131f99c3f5fd80ab6b23a2d21]
stable/5.10: [115e4f5b64ae8d9dd933167cafe2070aaac45849]
stable/5.13: [eeaa4b8d1e2e6f10362673d283a97dccc7275afa]
stable/5.4: [fe57d53dd91d7823f1ceef5ea8e9458a4aeb47fa]

CVE-2021-38300: bpf, mips: Validate conditional branch offsets

This vulnerability is only affected to MIPS architecture. No cip
member use MIPS architecture.

5.10 has been fixed. Applying this fix to 4.4, 4.9, 4.19, and 5.4, it
needs to modify the patch.

Fixed status

mainline: [37cb28ec7d3a36a5bace7063a3dba633ab110f8b]
stable/5.10: [c61736a994fe68b0e5498e4e84e1c9108dc41075]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2021-3640: UAF in sco_send_frame function

Fixed in bluetooth-next tree.

https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/net/bluetooth/sco.c?id=99c23da0eed4fd20cae8243f2b51e10e66aa0951

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,


-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6798): https://lists.cip-project.org/g/cip-dev/message/6798
Mute This Topic: https://lists.cip-project.org/mt/86134956/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 26+ messages in thread
* [cip-dev] New CVE entry this week
@ 2021-09-30  0:12 ` Masami Ichikawa
  2021-09-30  6:33     ` Nobuhiro Iwamatsu
  0 siblings, 1 reply; 26+ messages in thread
From: Masami Ichikawa @ 2021-09-30  0:12 UTC (permalink / raw)
  To: cip-dev

[-- Attachment #1: Type: text/plain, Size: 1769 bytes --]

Hi !

It's this week's CVE report.

This week reported one new CVE.

* New CVEs

CVE-2021-20317: lib/timerqueue: Rely on rbtree semantics for next timer

This bug has been fixed in 5.4-rc1 so that before 5.4 kernels are
affected. For 4.19, patch can be applied without any modification. For
4.4, it needs to modify patch to apply it.
According to the description in
cve.mitre.org(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20317),
it describes "This flaw allows a local attacker with special user
privileges to cause a denial of service" so I think this vulnerability
severity may be low.

CVSS v3 score is not provided.

Fixed status

mainline: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
stable/5.10: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
stable/5.14: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
stable/5.4: [511885d7061eda3eb1faf3f57dcc936ff75863f1]

* Updated CVEs

No updated CVEs  this week.

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2021-3640: UAF in sco_send_frame function

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6762): https://lists.cip-project.org/g/cip-dev/message/6762
Mute This Topic: https://lists.cip-project.org/mt/85963258/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 26+ messages in thread
* [cip-dev] New CVE entry this week
@ 2021-09-23  1:52 Masami Ichikawa
  0 siblings, 0 replies; 26+ messages in thread
From: Masami Ichikawa @ 2021-09-23  1:52 UTC (permalink / raw)
  To: cip-dev

[-- Attachment #1: Type: text/plain, Size: 4935 bytes --]

Hi !

It's this week's CVE report.

This week reported 2 new CVEs.

* New CVEs

CVE-2021-41073: io_uring: ensure symmetry in handling iter types in
loop_rw_iter()

CVSS v3 score is not provided.

This CVE is affected from 5.10-rc1 to 5.15-rc2. All stable kernels are fixed.

Fixed status

mainline: [16c8d2df7ec0eed31b7d3b61cb13206a7fb930cc]
stable/5.10: [ce8f81b76d3bef7b9fe6c8f84d029ab898b19469]
stable/5.14: [71e32edd2210d0304e93ac110814b5a4b3a81dc0]

CVE-2021-3773: lack of port sanity checking in natd and netfilter
leads to exploit of OpenVPN clients

CVSS v3 score is not provided.

The details of the vulnerability has been published on
https://breakpointingbad.com/2021/09/08/Port-Shadows-via-Network-Alchemy.html
.

Fixed status

Not fixed yet.

* Updated CVEs

CVE-2020-16119:  net: dccp: fix structure use-after-free

stable kernels have been fixed this week. All stable kernels are fixed.

Fixed status

mainline: [d9ea761fdd197351890418acd462c51f241014a7]
stable/4.14: [a1bb3c064bf5f2d8c3e9368a9152b1224a9dd64a]
stable/4.19: [dfec82f3e5b8bd93ab65b7417a64886ec8c42f14]
stable/4.4: [1969452d411a73a3125c326c6db0c8433f31dfd5]
stable/4.9: [40ea36ffa7207456c3f155bbab76754d3f37ce04]
stable/5.10: [6c3cb65d561e76fd0398026c023e587fec70e188]
stable/5.14: [51f7b364a2d120cea956b2bb5ccaad29bbf8abce]
stable/5.4: [5ab04a4ffed02f66e8e6310ba8261a43d1572343]

CVE-2020-3702: Specifically timed and handcrafted traffic can cause
internal errors in a WLAN device that lead to improper layer 2 Wi-Fi
encryption with a consequent possibility of information disclosure
over the air for a discrete set of traffic

stable kernel 4.4 and 4.9 have been fixed this week. This
vulnerability has been fixed since 5.12-rc1-dontuse.
All stable kernels are fixed.

Fixed status

mainline: [56c5485c9e444c2e85e11694b6c44f1338fc20fd,
73488cb2fa3bb1ef9f6cf0d757f76958bd4deaca,
    d2d3e36498dd8e0c83ea99861fac5cf9e8671226,
144cd24dbc36650a51f7fe3bf1424a1432f1f480,
    ca2848022c12789685d3fab3227df02b863f9696]
stable/4.14: [2cbb22fd4b4fb4d0822d185bf5bd6d027107bfda,
20e7de09cbdb76a38f28fb71709fae347123ddb7,
    995586a56748c532850870523d3a9080492b3433,
f4d4f4473129e9ee55b8562250adc53217bad529,
    61b014a8f8de02bedc56f76620170437f5638588]
stable/4.19: [dd5815f023b89c9a28325d8a2a5f0779b57b7190,
d2fd9d34210f34cd0ff5b33fa94e9fcc2a513cea,
    fb924bfcecc90ca63ca76b5a10f192bd0e1bb35d,
7c5a966edd3c6eec4a9bdf698c1f27712d1781f0,
    08c613a2cb06c68ef4e7733e052af067b21e5dbb]
stable/4.4: [4d6b4335838fd89419212e1e486c415ec36fb610,
5d97f20dc21f3f4b14105590f729e513b0c4921d,
    85d371eb7259c2e6aecd0b77c3f8c193c9593624,
1c8e25862a00a539803fa60eb7a907143688b178,
    3fd07178fbf012db0b38488ea2e0069412250dd2]
stable/4.9: [ea3f7df20fc8e0b82ec0e065b0b0d38e55fd7775,
74adc24d162e67d8862edaf701de620f36f98215,
    d7d4c3c60342deba706fd76ef09d8af68b9a64d8,
13c51682b07a5db4d9efb514e700407c6da22ff9,
    7afed8faf42d8358a165ba554891085e10b1f7a0]
stable/5.10: [8f05076983ddeaae1165457b6aa4eca9fe0e5498,
6566c207e5767deb37d283ed9f77b98439a1de4e,
    2925a8385ec746bf09c11dcadb9af13c26091a4d,
609c0cfd07f0ae6c444e064a59b46c5f3090b705,
    e2036bc3fc7daa03c15fda27e1818192da817cea]
stable/5.4: [0c049ce432b37a51a0da005314ac32e5d9324ccf,
add283e2517a90468ce223465e0f4360128bb650,
    b7d593705eb4f0655a70f0207f573fb1edb80bda,
c6feaf806da6a0deecc2fe41adb3443cdecba347,
    23f77ad13f8176314b7c51f71b9ac7c5c6d10b7b]

CVE-2021-40490: ext4: fix race writing to an inline_data file while
its xattrs are changing

4.4, 4.9, 4.14, and 4.19 kernels have been fixed this week. All stable
kernels are fixed.

Fixed status

mainline: [a54c4613dac1500b40e4ab55199f7c51f028e848]
stable/4.14: [9569234645f102025aaf0fc83d3dcbf1b8cbf2dc]
stable/4.19: [c481607ba522e31e6ed01efefc19cc1d0e0a46fa]
stable/4.4: [69d82df68fbc5e368820123200d7b88f6c058350]
stable/4.9: [7067b09fe587cbd47544a3047a40c64e4d636fff]
stable/5.10: [09a379549620f122de3aa4e65df9329976e4cdf5]
stable/5.13: [c764e8fa4491da66780fcb30a0d43bfd3fccd12c]
stable/5.14: [f8ea208b3fbbc0546d71b47e8abaf98b0961dec1]
stable/5.4: [9b3849ba667af99ee99a7853a021a7786851b9fd]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2021-3640: UAF in sco_send_frame function

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6744): https://lists.cip-project.org/g/cip-dev/message/6744
Mute This Topic: https://lists.cip-project.org/mt/85805475/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 26+ messages in thread
* [cip-dev] New CVE entry this week
@ 2021-09-16  0:43 Masami Ichikawa
  2021-09-16  4:55 ` Nobuhiro Iwamatsu
  0 siblings, 1 reply; 26+ messages in thread
From: Masami Ichikawa @ 2021-09-16  0:43 UTC (permalink / raw)
  To: cip-dev

[-- Attachment #1: Type: text/plain, Size: 3038 bytes --]

Hi !

It's this week's CVE report.

This week reported 4 new CVEs.

* New CVEs

CVE-2021-3744: crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()

This bug is in the AMD Cryptographic Coprocessor (CCP) driver. This
bug is related to CVE-2021-3744.

In the cip-kernel-config directory, 4.4 kernel uses this driver.

$ find . -type f | xargs grep -n "ccp-ops.c"
./4.4.y-cip-rt/x86/siemens_i386-rt.sources:1716:drivers/crypto/ccp/ccp-ops.c
./4.4.y-cip-rt/all.sources:3665:drivers/crypto/ccp/ccp-ops.c

Fixed status

Patch is available but it hasn't been merged yet.

CVE-2021-3764: DoS in ccp_run_aes_gcm_cmd() function

This vulnerability is a memory leak which will cause Dos attack.
This bug is in the AMD Cryptographic Coprocessor (CCP) driver. This
bug is related to CVE-2021-3764.

Fixed status

Patch is available but it hasn't been merged yet.

CVE-2021-3752: UAF in bluetooth

There is a use after free bug in bluetooth module.

Fixed status

This CVE hasn't been fixed in the mainline yet.

CVE-2021-38300: bpf, mips: Validate conditional branch offsets

This bug only affects bpf in mips architecture.  Patch is available,
but hasn't been merged yet.

Fixed status:

Not yet.

* Updated CVEs

CVE-2021-40490:  A race condition was discovered in
ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem
in the Linux kernel through 5.13.13

kernel 5.4 has been fixed.

Fixed status

mainline: [a54c4613dac1500b40e4ab55199f7c51f028e848]
stable/5.10: [09a379549620f122de3aa4e65df9329976e4cdf5]
stable/5.13: [c764e8fa4491da66780fcb30a0d43bfd3fccd12c]
stable/5.14: [f8ea208b3fbbc0546d71b47e8abaf98b0961dec1]
stable/5.4: [9b3849ba667af99ee99a7853a021a7786851b9fd]

CVE-2021-3635: flowtable list del corruption with kernel BUG at
lib/list_debug.c:50

This vulnerability has been affected from 4.16-rc1 to 5.5-rc7.
Therefore 4.4 kernel, and above 5.5 kernels aren't affected.

Fixed status

cip/4.19: [8260ce5aeee4d7c4a6305e469edeae1066de2800]
cip/4.19-rt: [8260ce5aeee4d7c4a6305e469edeae1066de2800]
mainline: [335178d5429c4cee61b58f4ac80688f556630818]
stable/4.19: [8260ce5aeee4d7c4a6305e469edeae1066de2800]
stable/5.4: [8f4dc50b5c12e159ac846fdc00702c547fdf2e95]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2021-3640: UAF in sco_send_frame function

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6739): https://lists.cip-project.org/g/cip-dev/message/6739
Mute This Topic: https://lists.cip-project.org/mt/85642333/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 26+ messages in thread
* [cip-dev] New CVE entry this week
@ 2021-09-02  1:05 Masami Ichikawa
  2021-09-02  6:27 ` Pavel Machek
  0 siblings, 1 reply; 26+ messages in thread
From: Masami Ichikawa @ 2021-09-02  1:05 UTC (permalink / raw)
  To: cip-dev

[-- Attachment #1: Type: text/plain, Size: 6613 bytes --]

Hi !

It's this week's CVE report.

* CVE short summary

** New CVEs

CVE-2021-3739: mainline is fixed. before 4.20-rc1 kernels aren't affected.

CVE-2021-3743: mainline is fixed. before 4.15-rc1 kernels aren't affected.

CVE-2021-3753: mainline is fixed. 4.4 and 4.19 kernels are affected.

** Updated CVEs

CVE-2020-3702: 4.14, 4.19, 5.10, 5.4 kernels are fixed

CVE-2021-3653:stable kernels are fixed.

CVE-2021-3656: stable are fixed. 4.4 is not affected.

CVE-2021-3600: Patches for 4.19 exist in stable-rc tree as of 2021/09/02.

** Tracking CVEs

CVE-2021-31615: No fix information as of 2021/09/02.

CVE-2021-3640: No fix information as of 2021/09/02.

CVE-2020-26555: No fix information as of 2021/09/02.

CVE-2020-26556: No fix information as of 2021/09/02.

CVE-2020-26557: No fix information as of 2021/09/02.

CVE-2020-26559: No fix information as of 2021/09/02.

CVE-2020-26560: No fix information as of 2021/09/02.

CVE-2021-3600: mainline, 5.10, 5.4 are fixed. 4.4 isn't affected. 4.19
will be fixed in stable tree.

* CVE detail

New CVEs

CVE-2021-3739: btrfs: fix NULL pointer dereference when deleting
device by invalid id

Fixed in btrfs tree but not fixed in mainline yet.
This vulnerability has been introduced since 4.20-rc1 so before 4.20
kernel aren't affected this vulnerability.

Fixed status

mainline: [e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091]

CVE-2021-3743: out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c

The Qualcomm's IPC router protocol(qrtr) has been introduced since
4.15-rc1 so before 4.15 kernels aren't affected.
Checked on cip-kernel-config, it looks like no CIP member enables QRTR.

Fixed status

mainline: [7e78c597c3ebfd0cb329aa09a838734147e4f117]

CVE-2021-3753: A out-of-bounds caused by the race of KDSETMODE in vt

Commit ffb324e6f874121f7dce5bdae5e05d02baae7269 introduced race
condition and oob bug. The commit ffb324e6f874 have been backported to
4.4 and 4.19.

Fixed status

mainline: [2287a51ba822384834dafc1c798453375d1107c7]

Updated CVEs

CVE-2020-3702: Specifically timed and handcrafted traffic can cause
internal errors in a WLAN device that lead to improper layer 2 Wi-Fi
encryption with a consequent possibility of information disclosure
over the air for a discrete set of traffic

Vulnerability in ath9k driver. 4.4.y-cip/arm/siemens_imx6_defconfig
and 4.4.y-cip/arm/moxa_mxc_defconfig use ath9k.

Fixed status

mainline: [56c5485c9e444c2e85e11694b6c44f1338fc20fd,
73488cb2fa3bb1ef9f6cf0d757f76958bd4deaca,
  d2d3e36498dd8e0c83ea99861fac5cf9e8671226,
144cd24dbc36650a51f7fe3bf1424a1432f1f480,
  ca2848022c12789685d3fab3227df02b863f9696]
stable/4.14: [2cbb22fd4b4fb4d0822d185bf5bd6d027107bfda,
20e7de09cbdb76a38f28fb71709fae347123ddb7,
  995586a56748c532850870523d3a9080492b3433,
f4d4f4473129e9ee55b8562250adc53217bad529,
  61b014a8f8de02bedc56f76620170437f5638588]
stable/4.19: [dd5815f023b89c9a28325d8a2a5f0779b57b7190,
d2fd9d34210f34cd0ff5b33fa94e9fcc2a513cea,
  fb924bfcecc90ca63ca76b5a10f192bd0e1bb35d,
7c5a966edd3c6eec4a9bdf698c1f27712d1781f0,
  08c613a2cb06c68ef4e7733e052af067b21e5dbb]
stable/5.10: [8f05076983ddeaae1165457b6aa4eca9fe0e5498,
6566c207e5767deb37d283ed9f77b98439a1de4e,
  2925a8385ec746bf09c11dcadb9af13c26091a4d,
609c0cfd07f0ae6c444e064a59b46c5f3090b705,
  e2036bc3fc7daa03c15fda27e1818192da817cea]
stable/5.4: [0c049ce432b37a51a0da005314ac32e5d9324ccf,
add283e2517a90468ce223465e0f4360128bb650,
  b7d593705eb4f0655a70f0207f573fb1edb80bda,
c6feaf806da6a0deecc2fe41adb3443cdecba347,
  23f77ad13f8176314b7c51f71b9ac7c5c6d10b7b]

CVE-2021-3653: KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl

Fixed status

mainline: [0f923e07124df069ba68d8bb12324398f4b6b709]
stable/4.14: [26af47bdc45e454877f15fa7658a167bb9799681]
stable/4.19: [42f4312c0e8a225b5f1e3ed029509ef514f2157a]
stable/4.4: [53723b7be26ef31ad642ce5ffa8b42dec16db40e]
stable/4.9: [29c4f674715ba8fe7a391473313e8c71f98799c4]
stable/5.10: [c0883f693187c646c0972d73e525523f9486c2e3]
stable/5.13: [a0949ee63cf95408870a564ccad163018b1a9e6b]
stable/5.4: [7c1c96ffb658fbfe66c5ebed6bcb5909837bc267]


CVE-2021-3656: KVM: nSVM: always intercept VMLOAD/VMSAVE when nested

Fixed status

mainline: [c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc]
stable/4.14: [6ed198381ed2496fbc82214108e56a441d3b0213]
stable/4.19: [119d547cbf7c055ba8100309ad71910478092f24]
stable/5.10: [3dc5666baf2a135f250e4101d41d5959ac2c2e1f]
stable/5.13: [639a033fd765ed473dfee27028df5ccbe1038a2e]
stable/5.4: [a17f2f2c89494c0974529579f3552ecbd1bc2d52]
stable/4.4: Not affected

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information as of 2021/08/26.

CVE-2021-3640: UAF in sco_send_frame function

There is no fix information as of 2021/08/26.

CVE-2020-26555: BR/EDR pin code pairing broken

There is no fix information as of 2021/08/26.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information as of 2021/08/26.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information as of 2021/08/26.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information as of 2021/08/26.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information as of 2021/08/26.

CVE-2021-3600: eBPF 32-bit source register truncation on div/mod

The vulnerability has been introduced since 4.15-rc9. 4.4 is not
affected. 4.19 is not fixed yet as of 2021/08/26.
Patches have been sent to stable
kernel(https://lore.kernel.org/stable/YSj43Lpw9bilHuIn@kroah.com/T/#t).
Then these have been included in stable-rc tree. These patch set
addressed to fix CVE-2021-3444 and CVE-2021-3600.

Discussion: https://lore.kernel.org/stable/YSd1q9Llm1vsWbXT@mussarela/T/#t

Patches in stable-rc tree.

bpf: Do not use ax register in interpreter on div/mod:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=queue/4.19&id=5179c6c58d0a2a05eeadd1bc0431bee01609d5b2
bpf: Fix 32 bit src register truncation on div/mod:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=queue/4.19&id=ca13f215fc36e37cf46d624b8c0ee71c10e231b1
bpf: Fix truncation handling for mod32 dst reg wrt zero:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=queue/4.19&id=a84037fcded8a9513f4838079cef85c516036f23


mainline: [e88b2c6e5a4d9ce30d75391e4d950da74bb2bd90]
stable/5.10: [1d16cc210fabd0a7ebf52d3025f81c2bde054a90]
stable/5.4: [78e2f71b89b22222583f74803d14f3d90cdf9d12]

Regards,

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6713): https://lists.cip-project.org/g/cip-dev/message/6713
Mute This Topic: https://lists.cip-project.org/mt/85318439/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 26+ messages in thread
end of thread, other threads:[~2021-10-21 12:06 UTC | newest]

Thread overview: 26+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-09  2:39 [cip-dev] New CVE entry this week Masami Ichikawa
2021-09-09  6:41 ` Pavel Machek
2021-09-09 12:23   ` Masami Ichikawa
     [not found] ` <CAMLqsBZCbrdOaxhuc81kvZsinS+_bFPp2tpmuVnczC1EXCA3Zg@mail.gmail.com>
2021-09-10  0:40   ` Masami Ichikawa
  -- strict thread matches above, loose matches on Subject: below --
2021-10-21  1:21 Masami Ichikawa
2021-10-21  8:41 ` [cip-dev] " nobuhiro1.iwamatsu
2021-10-21 12:05   ` Masami Ichikawa
2021-10-13 23:54 Masami Ichikawa
2021-10-13 23:54 ` Masami Ichikawa
2021-10-14  6:55   ` Pavel Machek
2021-10-14  6:55     ` Pavel Machek
2021-10-07  0:59 Masami Ichikawa
2021-10-07  0:59 ` Masami Ichikawa
2021-10-07  7:30   ` Pavel Machek
2021-10-07  7:30     ` Pavel Machek
2021-10-07 11:38     ` Masami Ichikawa
2021-10-07 11:38       ` Masami Ichikawa
2021-09-30  0:12 Masami Ichikawa
2021-09-30  0:12 ` Masami Ichikawa
2021-09-30  6:33   ` nobuhiro1.iwamatsu
2021-09-30  6:33     ` Nobuhiro Iwamatsu
2021-09-30 12:11     ` Masami Ichikawa
2021-09-30 12:11       ` Masami Ichikawa
2021-09-23  1:52 Masami Ichikawa
2021-09-16  0:43 Masami Ichikawa
2021-09-16  4:55 ` Nobuhiro Iwamatsu
2021-09-02  1:05 Masami Ichikawa
2021-09-02  6:27 ` Pavel Machek
2021-09-02  7:10   ` Nobuhiro Iwamatsu
2021-09-02 12:17   ` Masami Ichikawa

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.