[cip-dev] CVE-2021-3444 and CVE-2021-20292

[cip-dev] CVE-2021-3444 and CVE-2021-20292

[Pavel Machek]

[-- Attachment #1.1: Type: text/plain, Size: 1077 bytes --]

Hi!

We have outstanding action item about these two, but at this point I
believe we should simply start monitoring these:

CVE-2021-3444 -- this is about BPF handling. It does not look like
easy backport, and BPF has ton of other issues (especially with
respect to speculative execution), and my recommendation would be to
avoid BPF. My impression is that BPF is not really focus of CIP
project (we may want to ask members if anyone is using it?).

CVE-2021-20292 -- this is basically non issue. First, DRM is not
exactly our focus, but more importantly, this is only issue if
attacker already has root.

quoting: https://bugzilla.redhat.com/show_bug.cgi?id=1939686

There is a flaw reported in ... DRM subsystem. .... An attacker with a
local account with a root privilege, can leverage this vulnerability
to escalate privileges and execute code in the context of the kernel.

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6585): https://lists.cip-project.org/g/cip-dev/message/6585
Mute This Topic: https://lists.cip-project.org/mt/83819975/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-