cip-dev.lists.cip-project.org archive mirror
 help / color / mirror / Atom feed
* New CVE entries this week
@ 2022-06-08 23:44 Masami Ichikawa
  2022-06-09  9:41 ` [cip-dev] " Pavel Machek
  0 siblings, 1 reply; 44+ messages in thread
From: Masami Ichikawa @ 2022-06-08 23:44 UTC (permalink / raw)
  To: cip-dev

Hi !

It's this week's CVE report.

This week reported 12 new CVEs and 5 updated CVEs.

* New CVEs

CVE-2022-1972: nf_tables: sanitize nft_set_desc_concat_parse()

CVSS v3 score is not assigned.

An OOB write bug was found in the netfilter module.
This bug was introduced by commit f3a2181 ("netfilter: nf_tables:
Support for sets with multiple ranged fields") in 5.6-rc1.
This commit wasn't backported to 5.4 and prior kernels so these
kernels aren't affected by this vulnerability.

Fixed status
mainline: [fecf31ee395b0295f2d7260aa29946b7605f7c85]
stable/5.10: [c0aff1faf66b6b7a19103f83e6a5d0fdc64b9048]
stable/5.15: [89ef50fe03a55feccf5681c237673a2f98161161]
stable/5.17: [c88f3e3d243d701586239c5b69356ec2b1fd05f1]
stable/5.18: [c9a46a3d549286861259c19af4747e12cfaeece9]

CVE-2022-1974: nfc: replace improper check device_is_registered() in
netlink related functions

CVSS v3 score is not assigned.

An UAF bug was found in /net/nfc/core.c that allow an attacker to
crash linux kernel by simulating nfc device from user-space.

Fixed status
cip/4.4: [0630ce232266d13644cd7a86dd7911d4825324b4]
cip/4.4-st: [0630ce232266d13644cd7a86dd7911d4825324b4]
mainline: [da5c0f119203ad9728920456a0f52a6d850c01cd]
stable/4.14: [6f0ac4cd0377ab4e0b49b8f6efd37057c21336a9]
stable/4.19: [7deebb94a311da0e02e621e765c3aef3d5936572]
stable/4.9: [fa2217b66467917a623993c14d671661ad625fb6]
stable/5.10: [8a9e7c64f4a02c4c397e55ba379609168ec7df4a]
stable/5.15: [a2168fb3128a576d0175443403c15dcf8bf128f6]
stable/5.17: [8b58d6e565d83443c51b3fc076bd4472674aca0c]
stable/5.4: [85aecdef77f9c5b5c0d8988db6681960f0d46ab3]

CVE-2022-1975: NFC: netlink: fix sleep in atomic bug when firmware
download timeout

When the nlmsg_new() is called from fw_dnld_timeout() which is a timer
handler, nlmsg_new() allocates memory with GFP_KERNEL . So,
nlmsg_new() may sleep to allocate memory.  If nlmsg_new() sleeps in
the context, it will cause a kernel panic.

CVSS v3 score is not assigned.

Fixed status
cip/4.4: [12ddd94e76f674056ee706557e6ce5be43bc06e8]
cip/4.4-st: [12ddd94e76f674056ee706557e6ce5be43bc06e8]
mainline: [4071bf121d59944d5cd2238de0642f3d7995a997]
stable/4.14: [c33b2afffe8ae90e0bd4790e0505edd92addf14c]
stable/4.19: [d360fc8df363ecd7892d755d69ffc8c61d699e38]
stable/4.9: [a93ea9595fde438996d7b9322749d4d1921162f7]
stable/5.10: [879b075a9a364a325988d4484b74311edfef82a1]
stable/5.15: [7bd81a05d48942ef2c48630e5e7963b187e95727]
stable/5.17: [63a545103b77091f2309b44a8975cdf255bb99b2]
stable/5.4: [01d4363dd7176fd780066cd020f66c0f55c4b6f9]

CVE-2022-32296: tcp: increase source port perturb table to 2^16

CVSS v3 score is not assigned.

The Linux kernel before 5.17.9 allows TCP servers to identify clients
by observing what source ports are used.
The INET_TABLE_PERTURB_SHIFT macro was introduced by commmit 190cc82
("tcp: change source port randomizarion at connect() time") in
5.12-rc1-dontuse. This commit has been backported to 4.14, 4.19, and
5.10 so these kernels affected by this vulnerability. This backport
was done recently.

Fixed status
mainline: [4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5]
stable/5.15: [952a238d779eea4ecb2f8deb5004c8f56be79bc9]
stable/5.17: [e3ee7bb47d6509c3e8a3e96e5d8e3bf21549b6e8]

CVE-2022-20132: vulnerability in USB HID subsystem

CVSS v3 score is not assigned.

No vunerability details yet.
According to the
https://source.android.com/security/bulletin/2022-06-01, this
vulnerability causes information disclosure.

It looks as if following commits fix related to vulnerability.
- f83baa0 ("HID: add hid_is_usb() function to make it simpler for USB
detection")
- 918aa1e ("HID: bigbenff: prevent null pointer dereference")
- 720ac46 ("HID: wacom: fix problems when device is not a valid USB device")
- 9302095 ("HID: check for valid USB device for many HID drivers")

Following commits fix build error.
- 30cb3c2 ("HID: add USB_HID dependancy to hid-prodikeys")
- d080811 ("HID: add USB_HID dependancy to hid-chicony")
- f237d90 ("HID: add USB_HID dependancy on some USB HID drivers")

Fixed status
mainline: [f83baa0cb6cfc92ebaf7f9d3a99d7e34f2e77a8a,
30cb3c2ad24b66fb7639a6d1f4390c74d6e68f94,
  d080811f27936f712f619f847389f403ac873b8f,
f237d9028f844a86955fc9da59d7ac4a5c55d7d5,
  918aa1ef104d286d16b9e7ef139a463ac7a296f0,
720ac467204a70308bd687927ed475afb904e11b,
  93020953d0fa7035fd036ad87a47ae2b7aa4ae33]
stable/4.19: [b1efa723b986a84f84a95b6907cffe3a357338c9,
cb54ea86f247a28ce5d8ec147e58c13de669d04a,
  de8ac0cf03f1124ef39debb337811e54f3e2f55c,
b0f286d9b1f8a2448373aa45ac8333645c48ea85,
  945e3464ba6671692d0692d4b4325ec003db18c5,
128074f16e32c188fa2ed6edac625067c842606e]
stable/4.9: [28d8244f3ec961a11bfb4ad83cdc48ff9b8c47a7,
5b8d74ff145de1b5adb133895fd63cd533d68422,
  4435bc144fb6295db371e9753305a96f0c19b2ef,
c57e3b8082a4860f31f71d113b3e66bb64b4eb0a,
  1309eb2ef1001c4cc7e07b867ad9576d2cfeab47,
10d0f0aaa5cde52bd5685ee8d0adc02f1efb1983]
stable/5.10: [61144329606cb9518642b7d2e940b21eb3214204,
28989ed4d79e95dc59de6143c81c5826251b85e4,
  a7e9c5ddf562cf1923b21e5a085567807a059046,
d877651afd60dcbbcdc31f9efded3c27813afd1a,
  918aa1ef104d286d16b9e7ef139a463ac7a296f0,
889c39113f7e2219da49446b7e8772d1f62d0dca,
  89f3edc98ffe48557405ecfd9520f73244d099c9]
stable/5.15: [e1e21632a4c4d2f85587e204939883ce59d18447,
10b05037d7a831249bd513ba125e88b242c35a4b,
  8c765cf5f1bccf6d6f945db9c9e3a7602ad8bb46,
30d3150d909431fd7424ab8ff4c4c2c795554e30,
  58f15f5ae7786c824868f3a7e093859b74669ce7,
05ca95256abaf3971f73fdcf61a1f6091957f8fb,
  a579510a64ed15463a69cd6fe1a3339bf9ded33b]
stable/5.4: [6e1e0a01425810494ce00d7b800b69482790b198,
ee8477d1dbcee286e4f88ac9187b2f2fd0d0e156,
  f8a6538587b49ad48e0aa45e50d4fa3f7253c2ee,
31520ec149d28845f34c527a4e861502ea290a53,
  8e0ceff632f48175ec7fb4706129c55ca8a7c7bd,
e9114b9dc8ea3826b9d1b9af2462debeb91ed294,
  a7944962ee1f867711642fcdd8acd574a00dcdf7]

CVE-2022-20141: igmp: Add ip_mc_list lock in ip_check_mc_rcu

CVSS v3 score is not assigned.

An UAF bug was found in ip_check_mc_rcu() in net/ipv4/igmp.c.
According to the
https://source.android.com/security/bulletin/2022-06-01, this
vulnerability causes privilege escalation.
Fixed status
cip/4.4: [b24065948ae6c48c9e20891f8cfe9850f1d748be]
cip/4.4-rt: [b24065948ae6c48c9e20891f8cfe9850f1d748be]
mainline: [23d2b94043ca8835bd1e67749020e839f396a1c2]
stable/4.14: [78967749984cf3614de346c90f3e259ff8272735]
stable/4.19: [4768973dffed4d0126854514335ed4fe87bec1ab]
stable/4.9: [e9924c4204ede999b0515fd31a370a1e27f676bc]
stable/5.10: [ddd7e8b7b84836c584a284b98ca9bd7a348a0558]
stable/5.4: [d84708451d9041dff8a81e3718f821f12d2eb6c5]

CVE-2022-20148: An UAF bug was found in f2fs

CVSS v3 score is not assigned.

According to the
https://source.android.com/security/bulletin/pixel/2022-06-01, this
vulnerability causes privilege escalation.

Commit 5429c9d ("f2fs: fix UAF in f2fs_available_free_memory") fixes
an UAF bug which was introduced by commit d6d2b49 ("f2fs: allow to
change discard policy based on cached discard cmds") in v5.13-rc1. The
commit d6d2b49 isn't backported to stable kernels.

Fixed status
mainline: [d6d2b491a82e1e411a6766fbfb87c697d8701554,
5429c9dbc9025f9a166f64e22e3a69c94fd5b29b]
stable/5.15: [d6d2b491a82e1e411a6766fbfb87c697d8701554,
5e1b901dd470659bcfeaa76811d2af9165579d77]

CVE-2022-20153: io_uring: return back safer resurrect

CVSS v3 score is not assigned.

According to the
https://source.android.com/security/bulletin/pixel/2022-06-01, this
vulnerability causes privilege escalation.
This fix reverts commit cb5e1b8 ("Revert "io_uring: wait potential
->release() on resurrect"") that is merged in 5.12-rc1-dontuse.
Earlier than 5.1 kernels aren't affected by this issue because
io_uring was introduced since 5.1.

Fixed status
mainline: [f70865db5ff35f5ed0c7e9ef63e7cca3d4947f04]
stable/5.10: [dc1163203ae6e24b86168390fe5b4a3295fcba7f]

CVE-2022-20154: sctp: use call_rcu to free endpoint

CVSS v3 score is not assigned.

An UAF bug was found in sctp_sock_dump() in net/sctp subsystem.
According to the
https://source.android.com/security/bulletin/pixel/2022-06-01, this
vulnerability causes privilege escalation.
This commit fixes commit d25adbe ("sctp: fix an use-after-free issue
in sctp_sock_dump") which introduced in 4.14-rc1.
The commit d25adbe isn't backported to 4.4.y so 4.4.y kernel isn't
affected by this issue.

Fixed status
mainline: [5ec7d18d1813a5bead0b495045606c93873aecbb]
stable/4.14: [8873140f95d4977bf37e4cf0d5c5e3f6e34cdd3e]
stable/4.19: [af6e6e58f7ebf86b4e7201694b1e4f3a62cbc3ec]
stable/5.10: [769d14abd35e0e153b5149c3e1e989a9d719e3ff]
stable/5.15: [75799e71df1da11394740b43ae5686646179561d]

CVE-2022-20166: drivers core: Use sysfs_emit and sysfs_emit_at for
show(device *...) functions

CVSS v3 score is not assigned.

No vunerability details yet.
This fix changes from using sprintf() to sysfs_emit(), so it looks it
prevents buffer overflow bug.
According to the
https://source.android.com/security/bulletin/pixel/2022-06-01, this
vulnerability causes privilege escalation.
The commit aa83889 ("drivers core: Use sysfs_emit and sysfs_emit_at
for show(device *...) ……functions") was merged in 5.10-rc1.
This commit isn't backported to 4.x kernels. So, if backporting the
commit CVE-2022-20166 to 4.x series, commit aa83889 is required.

Fixed status
mainline: [aa838896d87af561a33ecefea1caa4c15a68bc47]
stable/5.4: [9e9241d3345af3f2a78a5b60701a9cf0d15bf942]

CVE-2022-1973: fs/ntfs3: Fix invalid free in log_replay

CVSS v3 score is not assigned.

An invalid free pointer in log_replay() ntfs3 subsystem. When
log_read_rst() returns ENOMEM error, it accesses uninitialized value
and
attempts call kfree that cause kernel crash. The ntfs3 subsystem was
introduced in 5.15 so earlier than this versions aren't affected by
this issue.

Fixed status
mainline: [f26967b9f7a830e228bb13fb41bd516ddd9d789d]

CVE-2022-1998: fanotify: Fix stale file descriptor in copy_event_to_user()

CVSS v3 score is not assigned.

An UAF vulnerability was found in fanotify subsystem. To exploit this
vulnerability, an attacker need to have CAP_SYS_ADMIN capability.

This vulnerability was introduced by commit f644bc4 ("fanotify: fix
copy_event_to_user() fid error clean up") in 5.13-rc7.
The commit f644bc4 isn't backported to earlier than 5.10 kernels.

Fixed status
mainline: [ee12595147ac1fbfb5bcb23837e26dd58d94b15d]
stable/5.10: [7b4741644cf718c422187e74fb07661ef1d68e85]
stable/5.15: [60765e43e40fbf7a1df828116172440510fcc3e4]

* Updated CVEs

CVE-2022-1966: netfilter: nf_tables: disallow non-stateful expression
in sets earlier

The mainline, 5.10, 5.15, 5.17, and 5.18 were fixed this week.

Fixed status
mainline: [520778042ccca019f3ffa136dd0ca565c486cedd]
stable/5.10: [ea62d169b6e731e0b54abda1d692406f6bc6a696]
stable/5.15: [f692bcffd1f2ce5488d24fbcb8eab5f351abf79d]
stable/5.17: [d8db0465bcc4d4b54ecfb67b820ed26eb1440da7]
stable/5.18: [8f44c83e51b4ca49c815f8dd0d9c38f497cdbcb0]

CVE-2022-21499: lockdown: also lock down previous kgdb use

5.4 was fixed this week.

Fixed status
mainline: [eadb2f47a3ced5c64b23b90fd2a3463f63726066]
stable/5.10: [a8f4d63142f947cd22fa615b8b3b8921cdaf4991]
stable/5.15: [69c5d307dce1560fafcb852f39d7a1bf5e266641]
stable/5.17: [281d356a035132f2603724ee0f04767d70e2e98e]
stable/5.18: [eca56bf0066ef2f1e7be0e3fa7564b85a309872c]
stable/5.4: [8bb828229da903bb5710d21065e0a29f9afd30e0]

CVE-2022-0494: block-map: add __GFP_ZERO flag for alloc_page in
function bio_copy_kern

4.14, 4.19, and 4.9 kernels were fixed this week.

Fixed status
mainline: [cc8f7fe1f5eab010191aa4570f27641876fa1267]
stable/4.14: [4f3ea768c56e8dce55ae538f18b37420366c5c22]
stable/4.19: [18243d8479fd77952bdb6340024169d30b173a40]
stable/4.9: [d59073bedb7cf752b8cd4027dd0f67cf7ac4330f]
stable/5.10: [a439819f4797f0846c7cffa9475f44aef23c541f]
stable/5.15: [a1ba98731518b811ff90009505c1aebf6e400bc2]
stable/5.16: [f8c61361a4f52c2a186269982587facc852dba62]

CVE-2022-1012: secure_seq: use the 64 bits of the siphash for port
offset calculation

Commit 695309c5 ("secure_seq: use the 64 bits of the siphash for port
offset calculation") was added to 4.19.

Fixed status
mainline: [b2d057560b8107c633b39aabe517ff9d93f285e3,
9e9b70ae923baf2b5e8a0ea4fd0c8451801ac526,
  4dfa9b438ee34caca4e6a4e5e961641807367f6f,
ca7af0402550f9a0b3316d5f1c30904e42ed257d,
  e9261476184be1abd486c9434164b2acbe0ed6c2,
4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5,
  e8161345ddbb66e449abde10d2fdce93f867eba9]
stable/4.19: [abcf4e1277d169b82dd7ee290006487ed16016ce,
695309c5c71526d32f5539f008bbf20ed2218528]
stable/5.10: [d254309aab27fdcdc68e6bc9c663e51f3e7b37dc,
a5c68f457fbf52c5564ca4eea03f84776ef14e41]
stable/5.15: [1a8ee547da2b64d6a2aedbd38a691578eff14718,
ff01554d8755bdbe2aec2e2cff322d95f328cb89,
  f41f6336bfc43500e4e94ada703cd5aebb91789e,
b763fce193b42048444afd85d066b136288ad2c8,
  4a3eefa399e675c4a5239497832a72733281a20f,
952a238d779eea4ecb2f8deb5004c8f56be79bc9,
  f26c6f9404e1d6f3bfc9780ffba82a01a595d147]
stable/5.17: [6976724355f5fdada89de528730f9a7b4928f2e3,
27003fa8b581098aa9768bc03f82d5654368cb02,
  3a8081f81323e1550c241157244318db166b660e,
c2cef1db8f8aa81330fee4538a1158e1f6fd5bd1,
  01e16c23823a057667feb5cf26ba0c963fef6afd,
e3ee7bb47d6509c3e8a3e96e5d8e3bf21549b6e8,
  5034cbb361e1c447911a15b1d3982d5df7aa17b9]

CVE-2022-1852: KVM: x86: avoid calling x86 emulator without a decoded
instruction

5.10, 5.15, 5.17, and 5.18 were fixed this week.

Fixed status
mainline: [fee060cd52d69c114b62d1a2948ea9648b5131f9]
stable/5.10: [3d8fc6e28f321d753ab727e3c3e740daf36a8fa3]
stable/5.15: [531d1070d864c78283b7597449e60ddc53319d88]
stable/5.17: [dca5ea67a3e627a3022fe58722a2807c1ef61c29]
stable/5.18: [02ea15c02befea2539d5f0d6b60ce8df88de418b]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com


^ permalink raw reply	[flat|nested] 44+ messages in thread
* New CVE entries this week
@ 2023-07-26 23:15 Masami Ichikawa
  2023-07-27  9:26 ` [cip-dev] " Pavel Machek
  0 siblings, 1 reply; 44+ messages in thread
From: Masami Ichikawa @ 2023-07-26 23:15 UTC (permalink / raw)
  To: cip-dev

Hi !

It's this week's CVE report.

This week reported 8 new CVEs and 5 updated CVEs.

CVE-2023-20593 is the Zenbleed vulnerability which is not a kernel
vulnerability.  However, the Linux kernel added mitigation code.
CVE-2023-2640 and CVE-2023-32629 are Ubuntu kernel specific
vulnerabilities, so mainline/stable/cip kernels aren't affected.

* New CVEs

CVE-2023-3611: net/sched: sch_qfq: account for stab overhead in qfq_enqueue

CVSS v3 score is not provided(NVD).
CVSS v3 score is not 7.8 HIGH(CNA).

An out-of-bounds write vulnerability in the Linux kernel's net/sched:
sch_qfq component can be exploited to achieve local privilege
escalation.
The qfq_change_agg() function in net/sched/sch_qfq.c allows an
out-of-bounds write because lmax is updated according to packet sizes
without bounds checks.

This bug was introduced by commit 462dbc9 ("pkt_sched: QFQ Plus
fair-queueing service at DRR cost") in 3.8-rc1.

Fixed status
mainline: [3e337087c3b5805fe0b8a46ba622a962880b5d64]
stable/5.15: [91d3554ab1fc2804c36a815c0f79502d727a41e6]
stable/6.1: [70feebdbfad85772ab3ef152812729cab5c6c426]
stable/6.4: [bd2333fa86dc520823e8c317980b29ba91ee6b87]

CVE-2023-3776: net/sched: cls_fw: Fix improper refcount update leads
to use-after-free

CVSS v3 score is not provided(NVD).
CVSS v3 score is not 7.8 HIGH(CNA).

A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw
component can be exploited to achieve local privilege escalation.
If tcf_change_indev() fails, fw_set_parms() will immediately return an
error after incrementing or decrementing the reference counter in
tcf_bind_filter().
If an attacker can control the reference counter and set it to zero,
they can cause the reference to be freed, leading to a use-after-free
vulnerability.

This bug was introduced before 2.6.12. So all stable kernels are affected.

Fixed status
mainline: [0323bce598eea038714f941ce2b22541c46d488f]
stable/5.15: [5b55f2d6ef403fcda93ae4eb4d8c1ba164c66e92]
stable/6.1: [c91fb29bb07ee4dd40aabd1e41f19c0f92ac3199]
stable/6.4: [0a2e3f49febda459252f58cec2d659623d582800]

CVE-2023-3863: net: nfc: Fix use-after-free caused by nfc_llcp_find_local

CVSS v3 score is not provided(NVD).
CVSS v3 score is not 6.4 MEDIUM(CNA).

A use-after-free flaw was found in nfc_llcp_find_local in
net/nfc/llcp_core.c in NFC in the Linux kernel.
This flaw allows a local user with special privileges to impact a
kernel information leak issue.

This patch fixes 52feb44 ("NFC: Extend netlink interface for LTO, RW,
and MIUX parameters support") in 3.8-rc1 and
c7aa122 ("NFC: Take a reference on the LLCP local pointerwhen creating
a socket") in 3.6-rc1.
So all stable kernels affect this bug.

Fixed status
mainline: [6709d4b7bc2e079241fdef15d1160581c5261c10]
stable/5.15: [fc8429f8d86801f092fbfbd257c3af821ac0dcd3]
stable/6.1: [425d9d3a92df7d96b3cfb7ee5c240293a21cbde3]
stable/6.4: [e5207c1d69b1a9707615ab6ff9376e59fc096815]

CVE-2023-20593: “Zen 2” CPUs, under specific microarchitectural
circumstances, may allow an attacker to potentially access sensitive
information

CVSS v3 score is not provided.

An issue in “Zen 2” CPUs, under specific microarchitectural
circumstances, may allow an attacker to potentially access sensitive
information. This bug is added a name called Zenbleed.
You can find more details from https://lock.cmpxchg8b.com/zenbleed.html .

This is not a kernel issue. However, linux kernel mitigates zenbleed
vulnerability.

Fixed status
mainline: [522b1d69219d8f083173819fde04f994aa051a98]
stable/4.19: [cfef7bbf0dca27209ea5d82d7060d4fc2c0d72ea]
stable/5.10: [93df00f9d48d48466ddbe01a06eaaf3311ecfb53]
stable/5.15: [be824fdb827dc06f77a31122949fe1bc011e3e1e]
stable/5.4: [00363ef30797211c247605464dc3daaa988531a2]
stable/6.1: [ed9b87010aa84c157096f98c322491e9af8e8f07]
stable/6.4: [9b8bb5c4e25678af895dc9dd4a1e82b2f948cacc]

CVE-2023-3772: xfrm: add NULL check in xfrm_update_ae_params

CVSS v3 score is not provided(NVD).
CVSS v3 score is not 5.5 MEDIUM(CNA).

A flaw was found in the Linux kernel’s IP framework for transforming
packets (XFRM subsystem).
This issue may allow a malicious user with CAP_NET_ADMIN privileges to
directly dereference a
NULL pointer in xfrm_update_ae_params(), leading to a possible kernel
crash and denial of service.

This bug was introduced by commit d8647b79c3b7 ("xfrm: Add user
interface for esn and big anti-replay windows") in 2.6.39-rc1.

Fixed status
Patch is available but it hasn't been merged yet.
https://lore.kernel.org/netdev/20230721145103.2714073-1-linma@zju.edu.cn/

CVE-2023-3773: xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH

CVSS v3 score is not provided(NVD).
CVSS v3 score is not 5.5 MEDIUM(CNA).

A flaw was found in the Linux kernel’s IP framework for transforming
packets (XFRM subsystem).
This issue may allow a malicious user with CAP_NET_ADMIN privileges to
cause a 4 byte out-of-bounds
read of XFRMA_MTIMER_THRESH when parsing netlink attributes, leading
to potential leakage of sensitive
heap data to userspace.

This bug was introduced by commit 4e484b3e969b ("xfrm: rate limit SA
mapping change message to user space") in 5.17-rc1.
This patch was backported to 5.15 and 5.10, so these kernels are also affected.
Linux 5.4, 4.19, 4.14 and 4.4 are not affected.

Fixed status
Patch is available but it hasn't been merged yet.
https://lore.kernel.org/all/20230723074110.3705047-1-linma@zju.edu.cn/T/#u

CVE-2023-2640: An unprivileged user may set privileged extended
attributes on the mounted files in ubuntu kernels

CVSS v3 score is not provided(NVD).
CVSS v3 score is not 7.8 HIGH(CNA).

On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE:
overlayfs: Skip permission checking for trusted.overlayfs.* xattrs",
an unprivileged user may set privileged extended attributes on the
mounted files, leading them to be set on the upper files
without the appropriate security checks.

This CVE is ubuntu kernel specific, so mainline/stable/cip kernels
aren't affected.

CVE-2023-32629: Local privilege escalation vulnerability in Ubuntu
Kernels overlayfs

CVSS v3 score is not provided(NVD).
CVSS v3 score is not 7.8 HIGH(CNA).

Local privilege escalation vulnerability in Ubuntu Kernels overlayfs
ovl_copy_up_meta_inode_data skip permission checks when calling
ovl_do_setxattr on Ubuntu kernels.

This CVE is ubuntu kernel specific, so mainline/stable/cip kernels
aren't affected.

* Updated CVEs

CVE-2022-48502: fs/ntfs3: Check fields while reading

Stable 5.15 and 6.1 were fixed.

Fixed status
mainline: [0e8235d28f3a0e9eda9f02ff67ee566d5f42b66b]
stable/5.15: [333feb7ba84f69f9b423422417aaac54fd9e7c84]
stable/6.1: [000a9a72efa4a9df289bab9c9e8ba1639c72e0d6]

CVE-2023-2898: f2fs: fix to avoid NULL pointer dereference f2fs_write_end_io()

Stable 5.15 was fixed.

Fixed status
mainline: [d8189834d4348ae608083e1f1f53792cfcc2a9bc]
stable/5.15: [982c29e0d27a48d65fd0fa0d1bcee501eeb06e76]
stable/6.1: [ebe83e9bb8a6b3db28603fe938ee80ccaa01ed53]
stable/6.4: [5619e9aabbd2b369cde2114ad6f55f6eb3e0b5be]

CVE-2023-31248: nf_tables UAF when using nft_chain_lookup_byid

Stable 5.15 was fixed.

Fixed status
mainline: [515ad530795c118f012539ed76d02bacfd426d89]
stable/5.15: [041e2ac88caef286b39064e83e825e3f53113d36]
stable/6.1: [fc95c8b02c6160936f1f3d8d9d7f4f66f3c84b49]
stable/6.4: [5e5e967e8505fbdabfb6497367ec1b808cadc356]

CVE-2023-35001: nf_tables nft_byteorder_eval OOB read/write

Stable 5.15 was fixed.

Fixed status
mainline: [caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd]
stable/5.15: [870dcc31c0cf47cb15a568ade4168dc644b3ccfb]
stable/6.1: [40f83dd66a823400d8592e3b71e190e3ad978eb5]
stable/6.4: [b79c09c2bf2d7643902a6ef26152de602c5c5e4b]

CVE-2023-38432: OOB read bug was found in the ksmbd subsystem

Stable 5.15 was fixed.

Fixed status
mainline: [2b9b8f3b68edb3d67d79962f02e26dbb5ae3808d]
stable/5.15: [35f450f54dca1519bb24faacd0428db09f89a11f]
stable/6.1: [9650cf70ec9d94ff34daa088b643229231723c26]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
      :masami.ichikawa@miraclelinux.com


^ permalink raw reply	[flat|nested] 44+ messages in thread
* New CVE entries this week
@ 2023-06-14 22:43 Masami Ichikawa
  2023-06-15  8:41 ` [cip-dev] " Pavel Machek
  0 siblings, 1 reply; 44+ messages in thread
From: Masami Ichikawa @ 2023-06-14 22:43 UTC (permalink / raw)
  To: cip-dev

Hi !

It's this week's CVE report.

This week reported 4 new CVEs and 7 updated CVEs.

* New CVEs

CVE-2023-3141: memstick: r592: Fix UAF bug in r592_remove due to race condition

CVSS v3 score is 5.9 MEDIUM.

The client side in OpenSSH 5.7 through 8.4 has an Observable
Discrepancy leading to an information leak in the algorithm
negotiation. This allows man-in-the-middle attackers to target initial
connection attempts (where no host key for the server has been cached
by the client).

Fixed status
mainline: [63264422785021704c39b38f65a78ab9e4a186d7]
stable/4.14: [3faa6fe21c516dbcca469c297df77decbc2fed0f]
stable/4.19: [dce890c3dfaf631d0a8ac79c2792911f9fc551fa]
stable/5.10: [5c23f6da62f71ebfeda6ea3960982ccd926ebb09]
stable/5.15: [162a9b321538972a260c7b178638c2368c071f77]
stable/5.4: [a2a5d3a584bf86c9c09017381a8fc63cfaf5a9e6]
stable/6.1: [9a342d4eb9fb8e52f7d1afe088a79513f3f9a9a5]
stable/6.3: [76fec5f01c9c70e11b85fdeb3f2707589c9238ca]

CVE-2023-3159: A use-after-free bug was found in firmware driver code

CVSS v3 score is not provided.

A use after free issue was discovered in driver/firewire in
outbound_phy_packet_callback in the Linux Kernel. In this flaw a local
attacker with special privilege may cause a use after free problem
when queue_event() fails.

It was fixed in 5.18-rc6. All stable kernels and cip kernels were fixed.

Fixed status
mainline: [b7c81f80246fac44077166f3e07103affe6db8ff]
stable/4.14: [1269a6567274edecd04ee7fd7871aa4d0c937f2a]
stable/4.19: [34380b5647f13fecb458fea9a3eb3d8b3a454709]
stable/5.10: [e757ff4bbc893bc030c2d10143091094da73b9ff]
stable/5.15: [e259ba5c08d3791ab269b7775f1de5b36b06388c]
stable/5.4: [34b9b91829111a7e44b593c790a22680c89cd402]

CVE-2023-3161: An OOB access bug was found in fbdev driver

CVSS v3 score is not provided.

A flaw was found in the Framebuffer Console (fbcon) in the Linux
Kernel. When providing font->width and font->height greater than 32 to
fbcon_set_font, since there are no checks in place, a
shift-out-of-bounds occurs leading to undefined behavior and possible
denial of service.

It was fixed in 6.2-rc7. All stable kernels and cip kernels were fixed.

Fixed status
mainline: [2b09d5d364986f724f17001ccfe4126b9b43a0be]
stable/4.14: [7625513267a2b155a5e31e4ac443bf954591b7fa]
stable/4.19: [1c3d4901fad1db6a4e2dcdd6b13ed0ea22f227a1]
stable/5.10: [28d190882ba55cbcee1db8e4ae90c149178dcf64]
stable/5.15: [dccbd062d71657648efc32fdc9919b33763cc68b]
stable/5.4: [4abcd352a0222cc807f6f87d2f58d59aeeb70340]
stable/6.1: [5e7f6e2ade57dfd6d133ff7c643abd2079248943]

CVE-2023-3212: NULL pointer dereference in gfs2_evict_inode() in fs/gfs2/super.c

CVSS v3 score is not provided.

A Null pointer dereference bug was found in the gfs2 file system where
the evict code attempts to reference the freed and NULL-ified journal
descriptor structure (jdesc).
The vulnerability arises from a sequence of events that includes the
freeing of journals and the subsequent reference to the now
freed/zeroed sd_jdesc pointer.

It was fixed in 6.4-rc2.

Fixed status
mainline: [504a10d9e46bc37b23d0a1ae2f28973c8516e636]
stable/5.10: [d03d31d3a206093b9b8759dddf0ba9bd843606ba]
stable/5.15: [fd8b4e28f400a067e6ef84569816967be1f0642b]
stable/6.1: [5ae4a618a1558d2b536fdd5d42e53d3e2d73870c]
stable/6.3: [14c454764a37b194dc916c07488ce7339c82bc4f]

* Updated CVEs

CVE-2022-48425: fs/ntfs3: Validate MFT flags before replaying logs

The stable/6.1 was fixed.

Fixed status
mainline: [98bea253aa28ad8be2ce565a9ca21beb4a9419e5]
stable/5.15: [2a67f26f70ab344ae6ea78638890eebc1191a501]
stable/6.1: [a8eaa9a06addbd9cb0238cb1c729921ecbb6504c]
stable/6.3: [e6f4b1c32d6d6047958d7700d12fed6d91f441e7]

CVE-2023-1838: Fix double fget() in vhost_net_set_backend()

The stable/4.14 was fixed.

Fixed status
mainline: [fb4554c2232e44d595920f4d5c66cf8f7d13f9bc]
stable/4.14: [d1bcb0ab20980c6da663708c9a47c322703f9fc3]
stable/4.19: [6ca70982c646cc32e458150ee7f2530a24369b8c]
stable/5.10: [ec0d801d1a44d9259377142c6218885ecd685e41]
stable/5.15: [42d8a6dc45fc6619b8def1a70b7bd0800bcc4574]
stable/5.4: [3a12b2c413b20c17832ec51cb836a0b713b916ac]

CVE-2023-2007: Linux Kernel DPT I2O Controller Time-Of-Check
Time-Of-Use Information Disclosure Vulnerability

Stable 4.19 and 5.10 were fixed.

Fixed status
mainline: [b04e75a4a8a81887386a0d2dbf605a48e779d2a0]
stable/4.19: [1b88816a9499608c736e192e0f442e65d4b71de1]
stable/5.10: [a2cd7599b558d6c70c01880d470f6eedaf6a8f23]

CVE-2023-2124: OOB access in the Linux kernel's XFS subsystem

Stable 6.1 and 6.3 were fixed.

Fixed status
mainline: [22ed903eee23a5b174e240f1cdfa9acf393a5210]
stable/5.10: [0e98a97f772f2ffcee8ced7a49b71e72916e0aa1]
stable/5.15: [6cfe9ddb6aa698464fa16fb77a0233f68c13360c]
stable/6.1: [a2961463d74f5c86a8dda3b41c484c28ccc4c289]
stable/6.3: [69ebe82c73f4f9f4b49ed3b35ce347af20716d0a]

CVE-2023-31084: BUG: WARNING in dvb_frontend_get_event

All stable kernels were fixed.

Fixed status
mainline: [b8c75e4a1b325ea0a9433fa8834be97b5836b946]
stable/4.14: [72197f21d9a6c47286a57d323f6858fbed1d0f77]
stable/4.19: [f3b5442184a0dab5cee9b2682f947393569e24b2]
stable/5.10: [ca2d171fd1f3ea03198b8775443d2767301dce9b]
stable/5.15: [22fc36d59eab8e0bcc8ef72bba2363285784ac74]
stable/5.4: [66a6d704c251aac864b69ae094a7579e0837eec9]
stable/6.1: [d0088ea444e676a0c75551efe183bee4a3d2cfc8]
stable/6.3: [47dc2e5f5fb45aff7f9c32f10412125ee13cb5ce]

CVE-2023-34255: xfs: verify buffer contents when we skip log replay

Stable 6.1 and 6.3 were fixed.

Fixed status
mainline: [22ed903eee23a5b174e240f1cdfa9acf393a5210]
stable/5.10: [0e98a97f772f2ffcee8ced7a49b71e72916e0aa1]
stable/5.15: [6cfe9ddb6aa698464fa16fb77a0233f68c13360c]
stable/6.1: [a2961463d74f5c86a8dda3b41c484c28ccc4c289]
stable/6.3: [69ebe82c73f4f9f4b49ed3b35ce347af20716d0a]

CVE-2023-3111: btrfs: unset reloc control if transaction commit fails
in prepare_to_relocate()

Stable 4.14, 4.19, 5.4, and 5.10 were fixed.

Fixed status
mainline: [85f02d6c856b9f3a0acf5219de6e32f58b9778eb]
stable/4.14: [ff0e8ed8dfb584575cffc1561f17a1d094e8565b]
stable/4.19: [dcb11fe0a0a9cca2b7425191b9bf30dc29f2ad0f]
stable/5.10: [b60e862e133f646f19023ece1d476d630a660de1]
stable/5.15: [78f8c2370e3d33e35f23bdc648653d779aeacb6e]
stable/5.4: [8e546674031fc1576da501e27a8fd165222e5a37]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
      :masami.ichikawa@miraclelinux.com


^ permalink raw reply	[flat|nested] 44+ messages in thread
* New CVE entries this week
@ 2022-11-09 23:02 Masami Ichikawa
  2022-11-10  8:33 ` [cip-dev] " Pavel Machek
  0 siblings, 1 reply; 44+ messages in thread
From: Masami Ichikawa @ 2022-11-09 23:02 UTC (permalink / raw)
  To: cip-dev

Hi !

It's this week's CVE report.

This week reported 3 new CVEs and 2 updated CVEs.

* New CVEs

CVE-2022-42895: Bluetooth: L2CAP: Fix attempting to access uninitialized memory

CVSS v3 score is not provided.

An accessing uninitialized variable bug was found in
l2cap_parse_conf_req() in net/bluetooth/l2cap_core.c
The efs variable is on the stack. It is initialized when the type
variable is L2CAP_CONF_EFS.
So, if type isn't L2CAP_CONF_EFS and rfc.mode is L2CAP_MODE_ERTM, then
accessing uninitialized variable bug occurs.

It looks 4.4 is affected by this issue too.

Fixed status
mainline: [b1a2cd50c0357f243b7435a732b4e62ba3157a2e]

CVE-2022-42896: Bluetooth: L2CAP: Fix accepting connection request for
invalid SPSM

CVSS v3 score is not provided.

There was a valid range check for SPSM. Therefore, it will accept
connections with invalid SPSM value.

It looks 4.4 is affected by this issue too.

Fixed status
mainline: [711f8c3fb3db61897080468586b970c87c61d9e4]

CVE-2022-43945: A buffer overflow bug was found in nfsd

CVSS v3 score is 7.5 HIGH.

The Linux kernel NFSD implementation prior to versions 5.19.17 and
6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of
pages held by each NFSD thread by combining the receive and send
buffers of a remote procedure call (RPC) into a single array of pages.
A client can force the send buffer to shrink by sending an RPC message
over TCP with garbage data added at the end of the message. The RPC
message with garbage data is still correctly formed according to the
specification and is passed forward to handlers. Vulnerable code in
NFSD is not expecting the oversized request and writes beyond the
allocated buffer space.

nfsd3_proc_read() and nfsd_proc_read() changed to set argp->count
value adding an extra min_t() macro.
nfsd_init_dirlist_pages() and nfsd3_init_dirlist_pages() changed the
process of setting buf->buflen value.
However, 4.4, 4.19, 5.10 use different ways to set these values. So,
even if these kernels are vulnerable, it needs a different way to fix
them.

Fixed status
mainline: [00b4492686e0497fdb924a9d4c8f6f99377e176c,
640f87c190e0d1b2a0fcb2ecf6d2cd53b1c41991,
  401bc1f90874280a80b93f23be33a0e7e2d1f912,
fa6be9cc6e80ec79892ddf08a8c10cabab9baf38]
stable/5.15: [dc7f225090c29a5f3b9419b1af32846a201555e7,
071a076fd1b763aa6fe478efa047e0a549ba9c22,
  2be9331ca6061bc6ea32247266f45b8b21030244,
75d9de25a6f833dd0701ca546ac926cabff2b5af]
stable/6.0: [f59c74df82f6ac9d2ea4e01aa3ae7c6c4481652d,
279274e31270c28b86feffe5e166d4088f22317b,
  1868332032eccbab8c1878a0d918193058c0a905,
309f29361b6bfae96936317376f1114568c5de19]

* Updated CVEs

CVE-2022-20369: 'media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP
buffers across ioctls

4.14 and 4.19 were fixed this week.

Fixed status
mainline: [8310ca94075e784bbb06593cd6c068ee6b6e4ca6]
stable/4.14: [7339b6bdf9e084f9e83c084ccc8879b6ae80b75a]
stable/4.19: [95c4751705f7eef0f16a245e121259857f867c4a]
stable/5.10: [8a83731a09a5954b85b1ce49c01ff5c2a3465cb7]
stable/5.15: [48d00e24822e4384edcee3aae03d54c1b7982eba]
stable/5.4: [54e1abbe856020522a7952140c26a4426f01dab6]

CVE-2022-3524: tcp/udp: Fix memory leak in ipv6_renew_options().

5.15 and 6.0 were fixed this week.

Fixed status
mainline: [3c52c6bb831f6335c176a0fc7214e26f43adbd11]
stable/5.15: [1401e9336bebaa6dd5a320f83bddc17619d4e3a6]
stable/6.0: [0c5d628f1e1d049c33595693fab1b6e9baf25795]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com


^ permalink raw reply	[flat|nested] 44+ messages in thread
* New CVE entries this week
@ 2022-10-20  0:48 Masami Ichikawa
  2022-10-20  7:58 ` [cip-dev] " Pavel Machek
  0 siblings, 1 reply; 44+ messages in thread
From: Masami Ichikawa @ 2022-10-20  0:48 UTC (permalink / raw)
  To: cip-dev

Hi !

It's this week's CVE report.

This week reported 23 new CVEs and 2 updated CVEs.
CVE-2022-41674, CVE-2022-42719, and CVE-2022-42720 are remote code
execution vulnerabilities. These CVEs are already fixed.

* New CVEs

CVE-2022-41674: fix u8 overflow in cfg80211_update_notlisted_nontrans

CVSS v3 score is 8.1 HIGH.

There is a buffer overflow bug in cfg80211_update_notlisted_nontrans()
which causes 2 bytes to be overwritten.
This overflow result leads to remote code execution.

This bug was introduced by commit 0b8fb82 ("cfg80211: Parsing of
Multiple BSSID information in scanning") in 5.1-rc1.
This commit isn't backported to 4.x kernels so 4.x kernels aren't
affected by this vulnerability.

Fixed status
mainline: [aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d]
stable/5.10: [a6408e0b694c1bdd8ae7dd0464a86b98518145ec]
stable/5.15: [9a8ef2030510a9d6ce86fd535b8d10720230811f]
stable/5.19: [42ea11a81ac853c3e870c70d61ab435d0b09b851]
stable/5.4: [020402c7dd587a8a4725d32bbd172a5f7ecc5f8f]
stable/6.0: [fc1ed6d0c9898a68da7f1f7843560dfda57683e2]

CVE-2022-42719: wifi: mac80211: fix MBSSID parsing use-after-free

CVSS v3 score is 8.8 HIGH.

There is a use-after-free bug in the mac80211 subsystem. The result
will cause a remote code execution.

This vulnerability was introduced by commit 5023b14 ("mac80211:
support profile split between elements") in 5.2-rc1.
The commit 5023b14cf4df is not backported to 4.x kernels. so they
aren't affected by this vulnerability.

Fixed status
mainline: [ff05d4b45dd89b922578dac497dcabf57cf771c6]
stable/5.10: [31ce5da48a845bac48930bbde1d45e7449591728]
stable/5.15: [de124365a7d2deed22cf706583930f28d537ff0f]
stable/5.19: [e6d77ac0132da7e73fdcc4a38dd4c40ac0226466]
stable/6.0: [4afcb8886800131f8dd58d82754ee0c508303d46]

CVE-2022-42720: wifi: cfg80211: fix BSS refcounting bugs

CVSS v3 score is 7.8 HIGH.

There is a use-after-free bug in cfg80211 subsystem. The result will
cause a remote code execution.

Introduced by commit a3584f5 ("cfg80211: Properly track transmitting
and non-transmitting BSS") which is not backported to 4.x kernels. so
they aren't affected by this vulnerability.

Fixed status
mainline: [0b7808818cb9df6680f98996b8e9a439fa7bcc2f]
stable/5.10: [6b944845031356f3e0c0f6695f9252a8ddc8b02f]
stable/5.15: [bfe29873454f38eb1a511a76144ad1a4848ca176]
stable/5.19: [46b23a9559580a72d8cc5811b1bce8db099806d6]
stable/5.4: [785eaabfe3103e8bfa36aebacff6e8f69f092ed7]
stable/6.0: [e97a5d7091e6d2df05f8378a518a9bbf81688b77]

CVE-2022-42721: wifi: cfg80211: avoid non transmitted BSS list corruption

CVSS v3 score is 5.5 MEDIUM.

If there is an invalid BSS(Basic Service Set), the cfg80211 subsystem
will loop the data forever. That causes DoS attacks.

Introduced by commit 0b8fb82 ("cfg80211: Parsing of Multiple BSSID
information in scanning") which is not backported to 4.x kernels. so
they aren't affected by this vulnerability.

Fixed status
mainline: [bcca852027e5878aec911a347407ecc88d6fff7f]
stable/5.10: [b0e5c5deb7880be5b8a459d584e13e1f9879d307]
stable/5.15: [0a8ee682e4f992eccce226b012bba600bb2251e2]
stable/5.19: [1d73c990e9bafc2754b1ced71345f73f5beb1781]
stable/5.4: [77bb20ccb9dfc9ed4f9c93788c90d08cfd891cdc]
stable/6.0: [377cb1ce85878c197904ca8383e6b41886e3994d]

CVE-2022-42722: wifi: mac80211: fix crash in beacon protection for P2P-device

CVSS v3 score is 5.5 MEDIUM.

There is a NULL pointer dereference bug in ieee80211_rx_h_decrypt()
and ieee80211_rx_h_decrypt() when processing beacon protection for
P2P-device. This bug leads to DoS attacks.

This bug was introduced by commit 9eaf183 ("mac80211: Report beacon
protection failures to user space") which is not backported to 5.4 and
4.x kernels. so they aren't affected by this vulnerability.

Fixed status
mainline: [b2d03cabe2b2e150ff5a381731ea0355459be09f]
stable/5.10: [58c0306d0bcd5f541714bea8765d23111c9af68a]
stable/5.15: [93a3a32554079432b49cf87f326607b2a2fab4f2]
stable/5.19: [fa63b5f6f8853ace755d9a23fb75817d5ba20df5]
stable/6.0: [8ed62f2df8ebcf79c185f1bc3e4f346ea0905da6]

CVE-2022-3521: kcm: avoid potential race in kcm_tx_work

CVSS v3 score is 2.5 LOW(NIST).
CVSS v3 score is 2.6 LOW(VulDB).

A vulnerability has been found in Linux Kernel and classified as
problematic. This vulnerability affects the function kcm_tx_work of
the file net/kcm/kcmsock.c of the component kcm. The manipulation
leads to race conditions.

This bug was introduced by ab7ac4e ("kcm: Kernel Connection
Multiplexor module") in 4.6-rc1.
The kcm was introduced in 4.6 so 4.4 kernel is not affected by this issue.

Fixed status
mainline: [ec7eede369fe5b0d085ac51fdbb95184f87bfc6c]

CVE-2022-3522: mm/hugetlb: use hugetlb_pte_stable in migration race check

CVSS v3 score is 7.0 HIGH(NIST).
CVSS v3 score is 4.6 MEDIUM(VulDB).

A vulnerability was found in Linux Kernel and classified as
problematic. This issue affects the function hugetlb_no_page of the
file mm/hugetlb.c. The manipulation leads to race conditions.

Commit 2ea7ff1 ("mm/hugetlb: fix race condition of uffd missing/minor
handling") in 6.1-rc1 added a new function called
hugetlb_pte_stable(). Commit f9bf6c0 ("mm/hugetlb: use
hugetlb_pte_stable in migration race check") uses the function so
applying this patch requires commit 2ea7ff1.

Fixed status
mainline: [f9bf6c03eca1077cae8de0e6d86427656fa42a9b]

CVE-2022-3523: mm/memory.c: fix race when faulting a device private page

CVSS v3 score is not provided(NIST).
CVSS v3 score is 5.3 MEDIUM(VulDB).

A vulnerability was found in Linux Kernel. It has been classified as
problematic. Affected is an unknown function of the file mm/memory.c
of the component Driver Handler. The manipulation leads to use after
free.

Commit log said that.

```
When the CPU tries to access a device private page the migrate_to_ram()
callback associated with the pgmap for the page is called.  However no
reference is taken on the faulting page.  Therefore a concurrent migration
of the device private page can free the page and possibly the underlying
pgmap.  This results in a race which can crash the kernel due to the
migrate_to_ram() function pointer becoming invalid.  It also means drivers
can't reliably read the zone_device_data field because the page may have
been freed with memunmap_pages().
```

According to the above commit log, accessing invalid migrate_to_ram
pointer will cause a bug.
This migrate_to_ram pointer was added by commit 897e636 ("memremap:
add a migrate_to_ram method to struct dev_pagemap_ops") in 5.3-rc1.
Therefore, kernel versions from 5.3-rc1 to 6.1-rc1 are affected by
thid vulnerability.

This fix is based on Memory folios feature so that it cannot apply to
older kernels straightly.

- mm/migrate_device.c was introduced by commit 76cbbea ("mm: move the
migrate_vma_* device migration code into its own file") in 5.18-rc1.
- migrate_folio() was added into include/linux/migrate.h by commit
5418465 ("mm/migrate: Convert migrate_page() to migrate_folio()") in
6.0-rc1.
- Memory folios feature was introduced in 5.16.

Fixed status
mainline: [16ce101db85db694a91380aa4c89b25530871d33]

CVE-2022-3524: tcp/udp: Fix memory leak in ipv6_renew_options().

A vulnerability was found in Linux Kernel. It has been declared as
problematic. Affected by this vulnerability is the function
ipv6_renew_options of the component IPv6 Handler. The manipulation
leads to memory leak. The attack can be launched remotely.

CVSS v3 score is 7.5 HIGH(NIST).
CVSS v3 score is 4.3 MEDIUM(VulDB).

Kernel 4.4 is also affected by this issue. applying this fix needs to
modify the patch.

Fixed status
mainline: [3c52c6bb831f6335c176a0fc7214e26f43adbd11]

CVE-2022-3526: macvlan: Fix leaking skb in source mode with nodst option

CVSS v3 score is 7.5 HIGH(NIST).
CVSS v3 score is 5.3 MEDIUM(VulDB).

A vulnerability classified as problematic was found in Linux Kernel.
This vulnerability affects the function macvlan_handle_frame of the
file drivers/net/macvlan.c of the component skb. The manipulation
leads to memory leak. The attack can be initiated remotely.

Introduced by 427f0c8 ("macvlan: Add nodst option to macvlan type
source") in 5.13-rc1.
Before 5.13-rc1 kernels are not affected.

Fixed status
mainline: [e16b859872b87650bb55b12cca5a5fcdc49c1442]
stable/5.15: [8f79ce226ad2e9b2ec598de2b9560863b7549d1b]

CVE-2022-3531: selftest/bpf: Fix memory leak in kprobe_multi_test

CVSS v3 score is 5.7 MEDIUM(NIST).
CVSS v3 score is 3.5 LOW(VulDB).

A vulnerability was found in Linux Kernel. It has been classified as
problematic. This affects the function get_syms of the file
tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c of the
component BPF. The manipulation leads to memory leak.

Introduced by commit 5b6c7e5c4434 ("selftests/bpf: Add attach bench
test") in 5.19-rc1. It isn't backported to older kernels.
btw, users shouldn't run kselftest on their production environment, anyway.

Fixed status
Fixed in bpf-next tree as of 2022-10-18.

CVE-2022-3532: selftests/bpf: Fix memory leak caused by not destroying skeleton

CVSS v3 score is 5.7 MEDIUM(NIST).
CVSS v3 score is 3.5 LOW(VulDB).

A vulnerability was found in Linux Kernel. It has been declared as
problematic. This vulnerability affects the function
test_map_kptr_success/test_fentry of the component BPF. The
manipulation leads to memory leak.

Introduced by commit 0ef6740e9777 ("selftests/bpf: Add tests for
kptr_ref refcounting") in 5.19-rc1 and 1642a3945e22 ("selftests/bpf:
Add struct argument tests with fentry/fexit programs.") in 6.1-rc1.
These commits are not backported to stable kernels.
Users shouldn't run kselftest on their production environment, anyway.

4.4, 4.9, 4.14, 4.19, 5.4, and 5.10 kernels are not affected by this issue.

Fixed status
Fixed in bpf-next tree as of 2022-10-18.

CVE-2022-3535: net: mvpp2: fix mvpp2 debugfs leak

CVSS v3 score is not provided(NIST).
CVSS v3 score is 3.5 LOW(VulDB).

A vulnerability classified as problematic was found in Linux Kernel.
Affected by this vulnerability is the function mvpp2_dbgfs_port_init
of the file drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c of the
component mvpp2. The manipulation leads to memory leak.

Introduced by commit 21da57a ("net: mvpp2: add a debugfs interface for
the Header Parser") in 4.19-rc1.
4.4, 4.9, 4.10, and 4.19 kernels are not affected by this issue.

Fixed status
mainline: [0152dfee235e87660f52a117fc9f70dc55956bb4]

CVE-2022-3543: af_unix: Fix memory leaks of the whole sk due to OOB skb.

CVSS v3 score is 5.5 MEDIUM(NIST).
CVSS v3 score is 3.5 LOW(VulDB).

A vulnerability, which was classified as problematic, has been found
in Linux Kernel. This issue affects the function
unix_sock_destructor/unix_release_sock of the file net/unix/af_unix.c
of the component BPF. The manipulation leads to memory leak.

Introduced by commit 314001f ("af_unix: Add OOB support") in 5.15-rc1.
This commit is not backported to older kernels.
4.4, 4.9, 4.14, 4.19, 5.4, and 5.10 kernels are not affected by this issue.

Fixed status.
mainline: [7a62ed61367b8fd01bae1e18e30602c25060d824]

CVE-2022-3564: Bluetooth: L2CAP: Fix use-after-free caused by
l2cap_reassemble_sdu

CVSS v3 score is not provided(NIST).
CVSS v3 score is 5.5 MEDIUM(VulDB).

A vulnerability classified as critical was found in Linux Kernel.
Affected by this vulnerability is the function l2cap_reassemble_sdu of
the file net/bluetooth/l2cap_core.c of the component Bluetooth. The
manipulation leads to use after free. I

Introduced by commit d2a7ac5d5d3a ("Bluetooth: Add the ERTM receive
state machine") in 3.6-rc1 and 4b51dae96731 ("Bluetooth: Add streaming
mode receive and incoming packet classifier") in 3.6-rc1.

Fixed status
fixed in bluetooth-next tree as of 2022-10-18

CVE-2022-3565: mISDN: fix use-after-free bugs in l1oip timer handlers

CVSS v3 score is not provided(NIST).
CVSS v3 score is 4.6 MEDIUM(VulDB).

A vulnerability, which was classified as critical, has been found in
Linux Kernel. Affected by this issue is the function del_timer of the
file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The
manipulation leads to use after free.

Fixed status
mainline: [2568a7e0832ee30b0a351016d03062ab4e0e0a3f]

CVE-2022-3566: tcp: Fix data races around icsk->icsk_af_ops.

CVSS v3 score is not provided(NIST).
CVSS v3 score is 4.6 MEDIUM(VulDB).

A vulnerability, which was classified as problematic, was found in
Linux Kernel. This affects the function tcp_getsockopt/tcp_setsockopt
of the component TCP Handler. The manipulation leads to race
conditions.

Fixed status
mainline: [f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57]

CVE-2022-3567: ipv6: Fix data races around sk->sk_prot.

CVSS v3 score is not provided(NIST).
CVSS v3 score is 4.6 MEDIUM(VulDB).

A vulnerability has been found in Linux Kernel and classified as
problematic. This vulnerability affects the function
inet6_stream_ops/inet6_dgram_ops of the component IPv6 Handler. The
manipulation leads to race conditions.

According to the commit log, commit 086d490 ("ipv6: annotate some
data-races around sk->sk_prot") fixes a race condition bug but it was
not enough.
Therefore it seems that both commit 086d490 and 364f997 need to fix this issue.

Fixed status
mainline: [364f997b5cfe1db0d63a390fe7c801fa2b3115f6]

CVE-2022-2602: io_uring/af_unix: defer registered files gc to io_uring release

CVSS v3 score is not provided.

A use-after-free bug was found in the io_uring subsystem. When
io_uring releasing registered fds, Unix socket Garbage Collection
process is used. If Unix GC is run before io_uring released fds, a
use-after-free bug will happen. That causes local privilege escalation
vulnerability.

Fixed status
mainline: [0091bfc81741b8d3aeb3b7ab8636f911b2de6e80]

CVE-2022-3542: bnx2x: fix potential memory leak in bnx2x_tpa_stop()

CVSS v3 score is 5.5 MEDIUM(NIST).
CVSS v3 score is 3.5 LOW(VulDB).

A vulnerability classified as problematic was found in Linux Kernel.
This vulnerability affects the function bnx2x_tpa_stop of the file
drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c of the component BPF.
The manipulation leads to memory leak.

This bug was in a driver for Broadcom NetXtremeII 10 gigabit Ethernet
cards (CONFIG_BNX2X).

Fixed status
mainline: [b43f9acbb8942b05252be83ac25a81cec70cc192]

CVE-2022-3545: nfp: fix use-after-free in area_cache_get()

CVSS v3 score is 7.8 HIGH(NIST).
CVSS v3 score is 5.5 MEDIUM(VulDB).

A vulnerability has been found in Linux Kernel and classified as
critical. Affected by this vulnerability is the function
area_cache_get of the file
drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c of the
component IPsec. The manipulation leads to use after free.

The nfp/nfpcore was added by 4cb584e0 ("nfp: add CPP access core") in
4.11-rc1. So, 4.4 and 4.9 are not affected.

Fixed status
mainline: [02e1a114fdb71e59ee6770294166c30d437bf86a]

CVE-2022-3541: eth: sp7021: fix use after free bug in
spl2sw_nvmem_get_mac_address

CVSS v3 score is 7.8 HIGH(NIST).
CVSS v3 score is 5.5 MEDIUM(VulDB).

A vulnerability classified as critical has been found in Linux Kernel.
This affects the function spl2sw_nvmem_get_mac_address of the file
drivers/net/ethernet/sunplus/spl2sw_driver.c of the component BPF. The
manipulation leads to use after free.

This issue was introduced by commit fd3040b ("net: ethernet: Add
driver for Sunplus SP7021") in 5.19-rc1.
Therefore, 4.x, 5.10, and 5.15 kernels are not affected by this issue.

Fixed status
mainline: [12aece8b01507a2d357a1861f470e83621fbb6f2]

CVE-2022-3594: r8152: Rate limit overflow messages

CVSS v3 score is not provided(NIST).
CVSS v3 score is 5.3 MEDIUM(VulDB).

A vulnerability was found in Linux Kernel. It has been declared as
problematic. Affected by this vulnerability is the function
intr_callback of the file drivers/net/usb/r8152.c of the component
BPF. The manipulation leads to logging of excessive data. The attack
can be launched remotely.

Fixed status
mainline: [93e2be344a7db169b7119de21ac1bf253b8c6907]

* Updated CVEs

CVE-2022-3303: ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC

5.10 was fixed this week.

Fixed status
mainline: [8423f0b6d513b259fdab9c9bf4aaa6188d054c2d]
stable/5.10: [fce793a056c604b41a298317cf704dae255f1b36]
stable/5.15: [8015ef9e8a0ee5cecfd0cb6805834d007ab26f86]
stable/5.19: [723ac5ab2891b6c10dd6cc78ef5456af593490eb]
stable/5.4: [4051324a6dafd7053c74c475e80b3ba10ae672b0]

CVE-2022-40768: scsi: stex: properly zero out the passthrough command structure

stable 5.10, 5.15, 5.19, 5.4, and 6.0 were fixed this week.

Fixed status
mainline: [6022f210461fef67e6e676fd8544ca02d1bcfa7a]
stable/5.10: [36b33c63515a93246487691046d18dd37a9f589b]
stable/5.15: [76efb4897bc38b2f16176bae27ae801037ebf49a]
stable/5.19: [6ae8aa5dcf0d7ada07964c8638e55d3af5896a86]
stable/5.4: [20a5bde605979af270f94b9151f753ec2caf8b05]
stable/6.0: [b9b7369d89924a366b20045dc26dc4dc6b0567a4]


Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com


^ permalink raw reply	[flat|nested] 44+ messages in thread
* New CVE entries this week
@ 2022-06-15 23:44 Masami Ichikawa
  2022-06-16 12:04 ` [cip-dev] " Pavel Machek
  0 siblings, 1 reply; 44+ messages in thread
From: Masami Ichikawa @ 2022-06-15 23:44 UTC (permalink / raw)
  To: cip-dev

Hi !

It's this week's CVE report.

This week reported 3 new CVEs and 3 updated CVEs.

FYI: A new side-channel attack which is called "Hertzbleed Attack" has
been published.
This vulnerability has assigned to CVE-2022-23823 and CVE-2022-24436.
Researchers confirmed Intel's 8th to the 11th generation Core
microarchitecture and AMD Ryzen processors are affected but the
haven't confirmed other processors(e.g. ARM) are affected or not.
Intel and AMD provided guidance to mitigate the Heartbleed Attack.
However, researchers said that Intel and AMD haven't planned to
provide microcode patches.

https://www.hertzbleed.com/

* New CVEs

CVE-2022-32981: powerpc/32: Fix overread/overwrite of thread_struct via ptrace

CVSS v3 score is not assigned.

This vulnerability only affects powerpc 32bit architecture.
There is a buffer overflow in ptrace PEEKUSER and POKEUSER (aka
PEEKUSR and POKEUSR) when accessing floating point registers.

Fixed status
mainline: [8e1278444446fc97778a5e5c99bca1ce0bbc5ec9]
stable/4.14: [d13c94c4b6f816e79b8e4df193db1bdcc7253610]
stable/4.19: [a0e38a2808ea708beb4196a8873cecc23efb8e64]
stable/4.9: [89dda10b73b7ce184caf18754907126ce7ce3fad]
stable/5.10: [3be74fc0afbeadc2aff8dc69f3bf9716fbe66486]
stable/5.15: [2a0165d278973e30f2282c15c52d91788749d2d4]
stable/5.18: [7764a258356c454fe56b9f56fc07c0e146a3bccb]
stable/5.4: [0c4bc0a2f8257f79a70fe02b9a698eb14695a64b]

CVE-2022-32250: use-after-free bug in net/netfilter/nf_tables_api.c
causes a local user to escalate privileges.

CVSS v3 score is 7.8 HIGH

net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1
allows a local user (able to create user/net namespaces) to escalate
privileges to root because an incorrect NFT_STATEFUL_EXPR check leads
to a use-after-free.

The bug fix commit 5207780 ("netfilter: nf_tables: disallow
non-stateful expression in sets earlier") and  bug introduced commit
0b2d8a7 ("netfilter: nf_tables: add helper functions for expression
handling") are same as CVE-2022-1966.
So, it looks like this CVE is a duplicate of CVE-2022-1966.

Fixed status
mainline: [520778042ccca019f3ffa136dd0ca565c486cedd]
stable/4.14: [5b732a9e8e22395d911b3e6c343cbed0e1cec275]
stable/4.19: [ed44398b45add3d9be56b7457cc9e05282e518b4]
stable/4.9: [94e9b75919619ba8c4072abc4917011a7a888a79]
stable/5.10: [ea62d169b6e731e0b54abda1d692406f6bc6a696]
stable/5.15: [f692bcffd1f2ce5488d24fbcb8eab5f351abf79d]
stable/5.17: [d8db0465bcc4d4b54ecfb67b820ed26eb1440da7]
stable/5.18: [8f44c83e51b4ca49c815f8dd0d9c38f497cdbcb0]
stable/5.4: [f36736fbd48491a8d85cd22f4740d542c5a1546e]

CVE-2022-1976: io_uring: reinstate the inflight tracking

CVSS v3 score is not assigned.

There is a use-after-free bug in fs/io_uring.c that caused a system crash.
This issue was introduced by commit d536123 ("io_uring: drop the old
style inflight file tracking") in 5.18-rc2.
5.18 and the mainline are affected by this vulnerability. Kernel 5.17
contains the commit d536123 but this version is EOL.

Fixed status
mainline: [9cae36a094e7e9d6e5fe8b6dcd4642138b3eb0c7]

* Updated CVEs

CVE-2021-4034: kernel vs pkexec API confusion leads to easy local root

Added 4.14, 5.4, 5.15 and 5.17 kernel fixed commits.

Fixed status
mainline: [dcd46d897adb70d63e025f175a00a89797d31a43]
stable/4.14: [98e0c7c702894987732776736c99b85ade6fba45]
stable/4.19: [b50fb8dbc8b81aaa126387de428f4c42a7c72a73]
stable/4.9: [41f6ea5b9aaa28b740d47ffe995a5013211fdbb0]
stable/5.10: [27a6f495b63a1804cc71be45911065db7757a98c]
stable/5.15: [1290eb4412aa0f0e9f3434b406dc8e255da85f9e]
stable/5.17: [cfbfff8ce5e3d674947581f1eb9af0a1b1807950]
stable/5.4: [1fe82bfd9e4ce93399d815ca458b58505191c3e8]

CVE-2022-1973: fs/ntfs3: Fix invalid free in log_replay

Stable kernels 5.15, 5.17, and 5.18 were fixed. All kernels are fixed.

Fixed status
mainline: [f26967b9f7a830e228bb13fb41bd516ddd9d789d]
stable/5.15: [61decb58486d7c0cbded25fe4d301ab4fa148cd8]
stable/5.17: [2088cc00491e8d25a99d0f247df843e9c3df2040]
stable/5.18: [2aafbe9fb210a355d6e0e92a91f294dee80e5d44]

CVE-2022-1966: netfilter: nf_tables: disallow non-stateful expression
in sets earlier

stable 4.14, 4.19, 4.9, and 5.4 were fixed.

Fixed status
mainline: [520778042ccca019f3ffa136dd0ca565c486cedd]
stable/4.14: [5b732a9e8e22395d911b3e6c343cbed0e1cec275]
stable/4.19: [ed44398b45add3d9be56b7457cc9e05282e518b4]
stable/4.9: [94e9b75919619ba8c4072abc4917011a7a888a79]
stable/5.10: [ea62d169b6e731e0b54abda1d692406f6bc6a696]
stable/5.15: [f692bcffd1f2ce5488d24fbcb8eab5f351abf79d]
stable/5.17: [d8db0465bcc4d4b54ecfb67b820ed26eb1440da7]
stable/5.18: [8f44c83e51b4ca49c815f8dd0d9c38f497cdbcb0]
stable/5.4: [f36736fbd48491a8d85cd22f4740d542c5a1546e]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com


^ permalink raw reply	[flat|nested] 44+ messages in thread
* New CVE entries this week
@ 2022-02-17  0:09 Masami Ichikawa
  2022-02-17 11:55 ` [cip-dev] " Pavel Machek
  0 siblings, 1 reply; 44+ messages in thread
From: Masami Ichikawa @ 2022-02-17  0:09 UTC (permalink / raw)
  To: cip-dev

Hi !

It's this week's CVE report.

This week reported 9 new CVEs.

* New CVEs

CVE-2021-44879: f2fs: fix to do sanity check on inode type during
garbage collection

CVSS v3 score is not provided

In gc_data_segment in fs/f2fs/gc.c in the Linux kernel before 5.16.3,
special files are not considered, leading to a move_data_page NULL
pointer dereference.

The gc_data_segment() in the 4.4 kernel does a different check from
other kernels so that patch cannot be applied.

Fixed status

mainline: [9056d6489f5a41cfbb67f719d2c0ce61ead72d9f]
stable/5.15: [0ddbdc0b7f0cec3815ac05a30b2c2f6457be3050]
stable/5.16: [d667b9f61df7bdfcb59dd1406fd2392c358f0008]

CVE-2022-0435: tipc: improve size validations for received domain records

CVSS v3 score is not provided

This issue was introduced by commit 35c55c9 ("tipc: add neighbor
monitoring framework") which was merged in 4.8-rc1. It was fixed in
5.17-rc4. The 4.4 kernel isn't affected.

Fixed status

mainline: [9aa422ad326634b76309e8ff342c246800621216]
stable/4.14: [fde4ddeadd099bf9fbb9ccbee8e1b5c20d530a2d]
stable/4.19: [f1af11edd08dd8376f7a84487cbb0ea8203e3a1d]
stable/4.9: [175db196e45d6f0e6047eccd09c8ba55465eb131]
stable/5.10: [3c7e5943553594f68bbc070683db6bb6f6e9e78e]
stable/5.15: [1f1788616157b0222b0c2153828b475d95e374a7]
stable/5.16: [59ff7514f8c56f166aadca49bcecfa028e0ad50f]
stable/5.4: [d692e3406e052dbf9f6d9da0cba36cb763272529]

CVE-2022-0516: KVM: s390: Return error on SIDA memop on normal guest

CVSS v3 score is not provided

This issue is s390 architecture specific. It was introduced at commit
19e12277("KVM: S390: protvirt: Introduce instruction data area bounce
buffer") which was merged in 5.7-rc1. All kernels were already fixed.

Fixed status

mainline: [2c212e1baedcd782b2535a3f86bc491977677c0e]
stable/5.10: [b62267b8b06e9b8bb429ae8f962ee431e6535d60]
stable/5.15: [14f880ea779e11a6c162f122c1199e3578e6e3f3]
stable/5.16: [8c68c50109c22502b647f4e86ec74400c7a3f6e0]

CVE-2022-24958: drivers/usb/gadget/legacy/inode.c mishandles dev->buf release

CVSS v3 score is not provided

The drivers/usb/gadget/legacy/inode.c in the Linux kernel through
5.16.8 mishandles dev->buf release. This bug will cause an UAF.

for 4.4, commit 501e38a("usb: gadget: clear related members when goto
fail") has merge conflict, but it is easy to fix.

Fixed status

mainline: [89f3594d0de58e8a57d92d497dea9fee3d4b9cda,
501e38a5531efbd77d5c73c0ba838a889bfc1d74]

CVE-2022-24959: yam: fix a memory leak in yam_siocdevprivate()

CVSS v3 score is not provided

An issue was discovered in the Linux kernel before 5.16.5. There is a
memory leak in yam_siocdevprivate in drivers/net/hamradio/yam.c.

This bug was introduced by commit 0781168("yam: fix a missing-check
bug") that was introduced at 4.19-rc7.
Stable 4.9 and 4.4 kernels were not affected.

Fixed status

mainline: [29eb31542787e1019208a2e1047bb7c76c069536]
stable/4.14: [4bbdfb71d2898a9d6e777a948a7484903a4ad2c3]
stable/4.19: [4bd197ce18329e3725fe3af5bd27daa4256d3ac7]
stable/5.10: [729e54636b3ebefb77796702a5b1f1ed5586895e]
stable/5.15: [0690c3943ed0fa76654e600eca38cde6a13c87ac]
stable/5.16: [deb0f02d08276d87212c1f19d9d919b13dc4c033]
stable/5.4: [7afc09c8915b0735203ebcb8d766d7db37b794c0]

CVE-2021-33061: Insufficient control flow management for the Intel(R)
82599 Ethernet Controllers and Adapters may allow an authenticated
user to potentially enable denial of service via local access.

CVSS v3 score is 5.5 MEDIUM

This bug let DoS attack. It was fixed and released at 2021/10/05.

Fixed status

Fixed in Intel® 82599 Ethernet Series Controllers and associated
Adapters Kernel-mode Driver versions to 5.13.4 or higher.

CVE-2021-33096: Improper isolation of shared resources in network on
chip for the Intel(R) 82599 Ethernet Controllers and Adapters may
allow an authenticated user to potentially enable denial of service
via local access.

CVSS v3 score is 5.5 MEDIUM

This bug let DoS attack.Intel recommended that "Consult the
Direct-Assignment Networking Fault Isolation in a Data Center
Environment Prescriptive Guidance Addressing INTEL-SA-00571
Application Note. " in their Security Advisory(INTEL-SA-00571), so
that there is no patches for CVE-2021-33096.

Fixed status

Security Advisory INTEL-SA-00571 gives recommendations.

CVE-2021-45402: The check_alu_op() allows local users to obtain
potentially sensitive address information because it mishandles mov32
instruction.

CVSS v3 score is not provided

This bug was introduced by commit 3f50f13("bpf: Verifier, do explicit
ALU32 bounds tracking") which was merged at 5.7-rc1, so that before
5.7-rc1 kernels are not affected by this issue. It was fixed in
5.16-rc6 in the mainline and backported to stable kernels.

Fixed status

mainline: [3cf2b61eb06765e27fec6799292d9fb46d0b7e60,
e572ff80f05c33cd0cb4860f864f5c9c044280b6]
stable/5.10: [e2aad0b5f2cbf71a31d00ce7bb4dee948adff5a9,
279e0bf80d95184666c9d41361b1625c045d1dcb]
stable/5.15: [f77d7a35d4913e4ab27abb36016fbfc1e882a654,
dbda060d50abbe91ca76010078742ca53264bfa6]

CVE-2022-0617: Null pointer dereference can be triggered when write to
an ICB inode

CVSS v3 score is not provided

Null pointer dereference bug was bound in the UDF file system.
The mainline, stable kernels, and cip/4.4 kernel are already fixed.

Fixed status

cip/4.4: [0f28e1a57baf48a583093e350ea2bd3e4c09b8ea,
f25e032aa6e5cb2a22879759e4b08e4cd1c84e95]
mainline: [7fc3b7c2981bbd1047916ade327beccb90994eee,
ea8569194b43f0f01f0a84c689388542c7254a1f]
stable/4.14: [a312cbdb9045a52e5c1fec4ac7b86895f508dc76,
3fdf975173dc5acbd6e25b451bcbd558ba9d839a]
stable/4.19: [a23a59717f9f01a49394488f515550f9382fbada,
3740d41e7363374182a42f1621e06d5029c837d5]
stable/4.9: [f24454e42b5a58267928b0de53b0dd9b43e4dd46,
de10d14ce3aacba73c835cb979a85ef9683c193f]
stable/5.10: [de7cc8bcca90a9d77c915ee1d922dbd670c47d84,
0a3cfd258923aee63e7f144f134d42e205421848]
stable/5.15: [cbf96c58e28b1fece9630102781a93ff32c347f7,
2ea17d25be51ed8ea9fa59a66c9152d3c5ba0c7a]
stable/5.16: [620e8243cf5389e706c1c8f66ffacb3c84308a9e,
8baf0dbef73e1d1ad41f5db77bf20234fb7a7773]
stable/5.4: [31136e5467f381cf18e2cfd467207dda7678c7a2,
86bcc670d3000095bdb70342cf4d3fb6f3fc0a1a]

* Updated CVEs

CVE-2021-3894: sctp: local DoS: unprivileged user can cause BUG()

A local unprivileged user can cause local DoS by sctp subsystem. This
issue was introduced by commit cc16f00 (" sctp: add support for
generating stream reconf ssn reset request chunk") which was merged at
4.11-rc1. It was fixed in 5.15-rc6.

Fixed status

mainline: [a2d859e3fc97e79d907761550dbc03ff1b36479c]
stable/4.19: [c57fdeff69b152185fafabd37e6bfecfce51efda]
stable/5.10: [d84a69ac410f6228873d05d35120f6bdddab7fc3]

CVE-2022-0487: Use after free in moxart_remove

UAF bug was found in moxart_remove() in drivers/mmc/host/moxart-mmc.c.
All stable kernels were fixed this week.

Apply patch bd2db32 ("moxart: fix potential use-after-free on remove
path") to 4.4 needs to a bit modify code. However, it seems no CIP
member enables CONFIG_MMC_MOXART.

Fixed status

mainline: [bd2db32e7c3e35bd4d9b8bbff689434a50893546]
stable/4.14: [e6f580d0b3349646d4ee1ce0057eb273e8fb7e2e]
stable/4.19: [9c25d5ff1856b91bd4365e813f566cb59aaa9552]
stable/4.9: [f5dc193167591e88797262ec78515a0cbe79ff5f]
stable/5.10: [be93028d306dac9f5b59ebebd9ec7abcfc69c156]
stable/5.15: [af0e6c49438b1596e4be8a267d218a0c88a42323]
stable/5.16: [7f901d53f120d1921f84f7b9b118e87e94b403c5]
stable/5.4: [3a0a7ec5574b510b067cfc734b8bdb6564b31d4e]

CVE-2022-0492: cgroup-v1: Require capabilities to set release_agent

There was a bug in cgroups v1 release_agent feature to escalate
privilege and bypass namespace isolation.
4.X series were fixed this week.

Fixed status

mainline: [24f6008564183aa120d07c03d9289519c2fe02af]
stable/4.14: [b391bb3554dd6e04b7a8ede975dbd3342526a045]
stable/4.19: [939f8b491887c27585933ea7dc5ad4123de58ff3]
stable/4.9: [7e33a0ad792f04bad920c7197bda8cc2ea08d304]
stable/5.10: [1fc3444cda9a78c65b769e3fa93455e09ff7a0d3]
stable/5.15: [4b1c32bfaa02255a5df602b41587174004996477]
stable/5.16: [9c9dbb954e618e3d9110f13cc02c5db1fb73ea5d]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com


^ permalink raw reply	[flat|nested] 44+ messages in thread
* [cip-dev] New CVE entries this week
@ 2021-08-26  1:09 Masami Ichikawa
  2021-08-26 10:01 ` Pavel Machek
       [not found] ` <169ED2F66B4753DB.9667@lists.cip-project.org>
  0 siblings, 2 replies; 44+ messages in thread
From: Masami Ichikawa @ 2021-08-26  1:09 UTC (permalink / raw)
  To: cip-dev

[-- Attachment #1: Type: text/plain, Size: 3243 bytes --]

Hi !

It's this week's CVE report.

* CVE short summary

** New CVEs

CVE-2020-3702: mainline is fixed

CVE-2021-3732: mainline and stable kernels are fixed

** Updated CVEs

There is no update.

** Tracking CVEs

CVE-2021-31615: No fix information as of 2021/08/26.

CVE-2021-3640: No fix information as of 2021/08/26.

CVE-2020-26555: No fix information as of 2021/08/26.

CVE-2020-26556: No fix information as of 2021/08/26.

CVE-2020-26557: No fix information as of 2021/08/26.

CVE-2020-26559: No fix information as of 2021/08/26.

CVE-2020-26560: No fix information as of 2021/08/26.

CVE-2021-3600: mainline, 5.10, 5.4 are fixed. 4.4 isn't affected. 4.19
isn't fixed.

* CVE detail

New CVEs

CVE-2020-3702: Specifically timed and handcrafted traffic can cause
internal errors in a WLAN device that lead to improper layer 2 Wi-Fi
encryption with a consequent possibility of information disclosure
over the air for a discrete set of traffic

This CVE affects ath9k driver.

Fixed status

mainline: [56c5485c9e444c2e85e11694b6c44f1338fc20fd,
73488cb2fa3bb1ef9f6cf0d757f76958bd4deaca,
  d2d3e36498dd8e0c83ea99861fac5cf9e8671226,
144cd24dbc36650a51f7fe3bf1424a1432f1f480,
  ca2848022c12789685d3fab3227df02b863f9696]

CVE-2021-3732: kernel: overlayfs: Mounting overlayfs inside an
unprivileged user namespace can reveal files

cip/4.19: [963d85d630dabe75a3cfde44a006fec3304d07b8]
cip/4.4: [c6e8810d25295acb40a7b69ed3962ff181919571]
mainline: [427215d85e8d1476da1a86b8d67aceb485eb3631]
stable/4.14: [517b875dfbf58f0c6c9e32dc90f5cf42d71a42ce]
stable/4.19: [963d85d630dabe75a3cfde44a006fec3304d07b8]
stable/4.4: [c6e8810d25295acb40a7b69ed3962ff181919571]
stable/4.9: [e3eee87c846dc47f6d8eb6d85e7271f24122a279]
stable/5.10: [6a002d48a66076524f67098132538bef17e8445e]
stable/5.13: [41812f4b84484530057513478c6770590347dc30]
stable/5.4: [812f39ed5b0b7f34868736de3055c92c7c4cf459]

Updated CVEs

There is no update.

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information as of 2021/08/26.

CVE-2021-3640: UAF in sco_send_frame function

There is no fix information as of 2021/08/26.

CVE-2020-26555: BR/EDR pin code pairing broken

There is no fix information as of 2021/08/26.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information as of 2021/08/26.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information as of 2021/08/26.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information as of 2021/08/26.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information as of 2021/08/26.

CVE-2021-3600: eBPF 32-bit source register truncation on div/mod

The vulnerability has been introduced since 4.15-rc9. 4.4 is not
affected. 4.19 is not fixed yet as of 2021/08/26.

mainline: [e88b2c6e5a4d9ce30d75391e4d950da74bb2bd90]
stable/5.10: [1d16cc210fabd0a7ebf52d3025f81c2bde054a90]
stable/5.4: [78e2f71b89b22222583f74803d14f3d90cdf9d12]

Regards,


-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6705): https://lists.cip-project.org/g/cip-dev/message/6705
Mute This Topic: https://lists.cip-project.org/mt/85151460/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 44+ messages in thread
* [cip-dev] New CVE entries this week
@ 2021-08-19  0:12 市川正美
  2021-08-19  7:10 ` Pavel Machek
  0 siblings, 1 reply; 44+ messages in thread
From: 市川正美 @ 2021-08-19  0:12 UTC (permalink / raw)
  To: cip-dev

[-- Attachment #1: Type: text/plain, Size: 4705 bytes --]

Hi !

It's this week's CVE report.

* CVE short summary

** New CVEs

CVE-2021-3653: mainline, 5.10, 5.13, 5.4 are fixed.

CVE-2021-3656: mainline, 5.10, 5.13, 5.4 are fixed. 4.4 is not affected.

** Updated CVEs

CVE-2021-33624: mainline, 4.19, 5.10, 5,12, 5.4 are fixed. 4.4 is not
affected by this vulnerability.

CVE-2021-38198: mainline, 4.19, 5.10, 5.4 are fixed. 4.4 affects this
vulnerability.

CVE-2021-38205: mainline and stable kernels are fixed.

** Tracking CVEs

CVE-2021-31615: there is no fixed information as of 2021/08/12

CVE-2021-3640: there is no fixed information as of 2021/08/12


* CVE detail

New CVEs

CVE-2021-3653: KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl

CVE-2021-3653 and CVE-2021-3656 are vulnerable when nested kvm is enabled.

Patch for 4.19 is backported by
https://lore.kernel.org/stable/20210816140240.11399-2-pbonzini@redhat.com/
but not applyed yet.

Fixed status

mainline: [0f923e07124df069ba68d8bb12324398f4b6b709]
stable/5.10: [c0883f693187c646c0972d73e525523f9486c2e3]
stable/5.13: [a0949ee63cf95408870a564ccad163018b1a9e6b]
stable/5.4: [7c1c96ffb658fbfe66c5ebed6bcb5909837bc267]

CVE-2021-3656: KVM: nSVM: always intercept VMLOAD/VMSAVE when nested

This vulnerability has been introduced since 4.13-rc1 so that 4.4
kernel is not affected.
CVE-2021-3653 and CVE-2021-3656 are vulnerable when nested kvm is enabled.

Patch for 4.19 is backported by
https://lore.kernel.org/stable/20210816140240.11399-9-pbonzini@redhat.com/
but not applyed yet.

Fixed status

mainline: [c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc]
stable/5.10: [3dc5666baf2a135f250e4101d41d5959ac2c2e1f]
stable/5.13: [639a033fd765ed473dfee27028df5ccbe1038a2e]
stable/5.4: [a17f2f2c89494c0974529579f3552ecbd1bc2d52]

Updated CVEs

CVE-2021-33624: Linux kernel BPF protection against speculative
execution attacks can be bypassed to read arbitrary kernel memory

The main patch 9183671af6dbf60a1219371d4ed73e23f43b49db fixes commit
b2157399cc9898260d6031c5bfe45fe137c1fbe7 which has been merged since
4.15-rc8 so 4.4 aren't affected this vulnerability.

Fixed status

mainline: [d203b0fd863a2261e5d00b97f3d060c4c2a6db71,
fe9a5ca7e370e613a9a75a13008a3845ea759d6e,
    9183671af6dbf60a1219371d4ed73e23f43b49db,
973377ffe8148180b2651825b92ae91988141b05]
stable/4.19: [0abc8c9754c953f5cd0ac7488c668ca8d53ffc90,
c510c1845f7b54214b4117272e0d87dff8732af6,
    9df311b2e743642c5427ecf563c5050ceb355d1d,
c15b387769446c37a892f958b169744dabf7ff23]
stable/5.10: [e9d271731d21647f8f9e9a261582cf47b868589a,
8c82c52d1de931532200b447df8b4fc92129cfd9,
    5fc6ed1831ca5a30fb0ceefd5e33c7c689e7627b]
stable/5.12: [408a4956acde24413f3c684912b1d3e404bed8e2,
68a1936e1812653b68c5b68e698d88fb35018835,
    4a99047ed51c98a09a537fe2c12420d815dfe296,
e5e2010ac3e27efa1e6e830b250f491da82d51b4]
stable/5.4: [283d742988f6b304f32110f39e189a00d4e52b92,
d2f790327f83b457db357e7c66f942bc00d43462,
    fd568de5806f8859190e6305a1792ba8cb20de61,
a0f66ddf05c2050e1b7f53256bd9c25c2bb3022b]

CVE-2021-38198: KVM: X86: MMU: Use the correct inherited permissions
to get shadow page

This vulnerability has been introduced since 2.6.20-rc4 so 4.4 affects
this CVE but patch didn't apply to 4.4
(https://lore.kernel.org/stable/162358450944186@kroah.com/). 4.19 also
failed to apply this patch but backport patch has been merged
recently(https://lore.kernel.org/stable/20210812174140.2370680-1-ovidiu.panait@windriver.com/).


Fixed status

mainline: [b1bd5cba3306691c771d558e94baa73e8b0b96b7]
stable/4.19: [4c07e70141eebd3db64297515a427deea4822957]
stable/5.10: [6b6ff4d1f349cb35a7c7d2057819af1b14f80437]
stable/5.4: [d28adaabbbf4a6949d0f6f71daca6744979174e2]

CVE-2021-38205: net: xilinx_emaclite: Do not print real IOMEM pointer

We talked about this CVE at previous weekly CVE report. Thank your for
Pavel to backport the patch.

Fixed status

mainline: [d0d62baa7f505bd4c59cd169692ff07ec49dde37]
stable/4.14: [1994eacac7af52da86e4b0cb6ae61621bef7393f]
stable/4.19: [9322401477a6d1f9de8f18e5d6eb43a68e0b113a]
stable/4.4: [3d4ba14fc5ffbe5712055af09a5c0cbab93c0f44]
stable/4.9: [ffdc1e312e2074875147c1df90764a9bae56f11f]
stable/5.10: [25cff25ec60690247db8138cd1af8b867df2c489]
stable/5.13: [8722275b41d5127048e1422a8a1b6370b4878533]
stable/5.4: [38b8485b72cbe4521fd2e0b8770e3d78f9b89e60]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fixed information as of 2021/08/19.

CVE-2021-3640: UAF in sco_send_frame function

There is no fixed information as of 2021/08/19.

Regards,


-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6694): https://lists.cip-project.org/g/cip-dev/message/6694
Mute This Topic: https://lists.cip-project.org/mt/84986288/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 44+ messages in thread
* [cip-dev] New CVE entries this week
@ 2021-08-12  0:33 市川正美
  2021-08-12  5:43 ` Pavel Machek
  0 siblings, 1 reply; 44+ messages in thread
From: 市川正美 @ 2021-08-12  0:33 UTC (permalink / raw)
  To: cip-dev

[-- Attachment #1: Type: text/plain, Size: 8682 bytes --]

Hi !

It's this week's CVE report.

* CVE short summary

** New CVEs

CVE-2021-3635: There is no detailed information as of 2021/08/12

CVE-2021-38160: mainline and stable kernels are fixed.

CVE-2021-38166: Fixed in bfp tree. Not fixed in mainline as of 2021/08/12

CVE-2021-38198: mainline and v5.10 are fixed as of 2021/08/12

CVE-2021-38199: mainline, v4.19, and v5.X kernels are fixed. This CVE
introduced by commit 5c6e5b6 which is in since v4.8-rc1

CVE-2021-38200: This CVE only affects PowerPC architecture

CVE-2021-38201: This CVE is introduced since v5.11-rc1 so before 5.11
kernels aren't affected

CVE-2021-38202: This CVE is introduced since v5.13-rc1 so before 5.13
kernels aren't affected

CVE-2021-38203: This CVE is introduced since v5.13-rc1 so before 5.13
kernels aren't affected

CVE-2021-38204: mainline and stable kernels are fixed

CVE-2021-38205: mainline is fixed as of 2021/08/12

CVE-2021-38206: mainline and 5.10 are fixed. This CVE affects since v5.9

CVE-2021-38207: mainline and 5.10 are fixed. This CVE affects since v5.6-rc4

CVE-2021-38208: mainline and stable kernels are fixed as of 2021/08/21

CVE-2021-38209: mainline and 5.10 are fixed. This CVE is introduced
since 5.7-rc1 so before 5.7 kernels aren't affected this CVE.

** Updated CVEs

No update.

** Traking CVEs

CVE-2021-31615: there is no fixed information as of 2021/08/12

CVE-2021-3640: there is no fixed information as of 2021/08/12


* CVE detail

New CVEs

CVE-2021-3635: flowtable list del corruption with kernel BUG at
lib/list_debug.c:50

According to the redhat bugzilla, it said "A flaw was found in the
Linux kernels netfilter implementation. A missing generation check
during DELTABLE processing causes it to queue the DELFLOWTABLE
operation a second time possibly leading to data corruption and denial
of service.  An attacker must have either root or CAP_SYS_ADMIN
capabilities to exploit this flaw."  However, there is no more
detailed information as of 2021/08/12.

Fixed status

None

CVE-2021-38160: virtio_console: Assure used length from device is limited

Fixed status

mainline: [d00d8da5869a2608e97cfede094dfc5e11462a46]
stable/4.14: [56cf748562d3cbfd33d1ba2eb4a7603a5e20da88]
stable/4.19: [b5fba782ccd3d12a14f884cd20f255fc9c0eec0c]
stable/4.4: [187f14fb88a9e62d55924748a274816fe6f34de6]
stable/4.9: [9e2b8368b2079437c6840f3303cb0b7bc9b896ee]
stable/5.10: [f6ec306b93dc600a0ab3bb2693568ef1cc5f7f7a]
stable/5.13: [21a06a244d2576f93cbc9ce9bf95814c2810c36a]
stable/5.4: [52bd1bce8624acb861fa96b7c8fc2e75422dc8f7]

CVE-2021-38166: bpf: Fix integer overflow involving bucket_size

This CVE is introcued by commit 057996380a42 ("bpf: Add batch ops to
all htab bpf map") which was in since 5.6-rc1.

Fixed status

None

CVE-2021-38198: KVM: X86: MMU: Use the correct inherited permissions
to get shadow page

Fixed status

mainline: [b1bd5cba3306691c771d558e94baa73e8b0b96b7]
stable/5.10: [6b6ff4d1f349cb35a7c7d2057819af1b14f80437]

CVE-2021-38199: NFSv4: Initialise connection to the server in
nfs4_alloc_client()

This CVE is introduced by commit 5c6e5b6 ("NFS: Fix an Oops in the
pNFS files and flexfiles connection setup to the DS") which was in
v4.8-rc1. So, v4.4 is not affected this CVE.

Fixed status

mainline: [dd99e9f98fbf423ff6d365b37a98e8879170f17c]
stable/4.19: [743f6b973c8ba8a0a5ed15ab11e1d07fa00d5368]
stable/5.10: [ff4023d0194263a0827c954f623c314978cf7ddd]
stable/5.13: [b0bfac939030181177373f549398ba94c384713d]
stable/5.4: [81e03fe5bf8f5f66b8a62429fb4832b11ec6b272]

CVE-2021-38200: powerpc/perf: Fix crash with
'perf_instruction_pointer' when pmu is not set

This CVE only affects PowerPC architecture so we don't have to track it.

Fixed status

mainline: [60b7ed54a41b550d50caf7f2418db4a7e75b5bdc]

CVE-2021-38201: net/sunrpc/xdr.c in the Linux kernel before 5.13.4
allows remote attackers to cause a denial of service
(xdr_set_page_base slab-out-of-bounds access) by performing many NFS
4.2 READ_PLUS operations.

This CVE is introduced by commit 8d86e37 ("SUNRPC: Clean up helpers
xdr_set_iov() and xdr_set_page_base()") which is in since v5.11-rc1.
So, we don't have to track it.

Fixed status

mainline: [6d1c0f3d28f98ea2736128ed3e46821496dc3a8c]
stable/5.13: [a02357d7532b88e97329bd7786c7e72601109704]

CVE-2021-38202: fs/nfsd/trace.h in the Linux kernel before 5.13.4
might allow remote attackers to cause a denial of service
(out-of-bounds read in strlen) by sending NFS traffic when the trace
event framework is being used for nfsd.

This CVE is introduced by commit 6019ce0 ("NFSD: Add a tracepoint to
record directory entry encoding") which is in since v5.13-rc1.
We don't have to track it.

Fixed status

mainline: [7b08cf62b1239a4322427d677ea9363f0ab677c6]
stable/5.13: [7605bff387a9972038b217b6c60998778dbae931]

CVE-2021-38203: btrfs: fix deadlock with concurrent chunk allocations
involving system chunks

This CVE is introduced since v5.13-rc1 so 5.10, 4.19, 4.4 kernels
aren't affected. We don't have to track it.

Fixed status

mainline: [1cb3db1cf383a3c7dbda1aa0ce748b0958759947]
stable/5.13: [789b24d9950d3e67b227f81b3fab912a8fb257af]

CVE-2021-38204: usb: max-3421: Prevent corruption of freed memory

Fixed status

mainline: [b5fdf5c6e6bee35837e160c00ac89327bdad031b]
stable/4.14: [edddc79c4391f8001095320d3ca423214b9aa4bf]
stable/4.19: [51fc12f4d37622fa0c481604833f98f11b1cac4f]
stable/4.4: [fc2a7c2280fa2be8ff9b5af702368fcd49a0acdb]
stable/4.9: [ae3209b9fb086661ec1de4d8f4f0b951b272bbcd]
stable/5.10: [7af54a4e221e5619a87714567e2258445dc35435]
stable/5.13: [d4179cdb769a651f2ae89c325612a69bf6fbdf70]
stable/5.4: [863d071dbcd54dacf47192a1365faec46b7a68ca]

CVE-2021-38205: net: xilinx_emaclite: Do not print real IOMEM pointer

xemaclite_of_probe() in drivers/net/ethernet/xilinx/xilinx_emaclite.c
leaks kernel memory layout.

Fixed status

mainline: [d0d62baa7f505bd4c59cd169692ff07ec49dde37]
stable/5.13: [8722275b41d5127048e1422a8a1b6370b4878533]

CVE-2021-38206: mac80211: Fix NULL ptr deref for injected rate info

This CVE is introduced by commit cb17ed2 ("mac80211: parse radiotap
header when selecting Tx queue") which is in since 5.9-rc1.
Therefore before 5.9 kernels aren't affected.

Fixed status

mainline: [bddc0c411a45d3718ac535a070f349be8eca8d48]
stable/5.10: [f74df6e086083dc435f7500bdbc86b05277d17af]
stable/5.4: [b6c0ab11c88fb016bfc85fa4f6f878f5f4263646]

CVE-2021-38207: net: ll_temac: Fix TX BD buffer overwrite

This CVE is introduced by commit 84823ff ("net: ll_temac: Fix race
condition causing TX hang") which is in since v5.6-rc4. so before
5.6-rc kernels aren't affected.

Fixed status

mainline: [c364df2489b8ef2f5e3159b1dff1ff1fdb16040d]
stable/5.10: [cfe403f209b11fad123a882100f0822a52a7630f]
stable/5.4: [b6c0ab11c88fb016bfc85fa4f6f878f5f4263646]

CVE-2021-38208: net/nfc/llcp_sock.c in the Linux kernel before 5.12.10
allows local unprivileged users to cause a denial of service (NULL
pointer dereference and BUG) by making a getsockname call after a
certain type of failure of a bind call.

Fixed status

mainline: [4ac06a1e013cf5fdd963317ffd3b968560f33bba]
stable/4.14: [ffff05b9ee5c74c04bba2801c1f99b31975d74d9]
stable/4.19: [93e4ac2a9979a9a4ecc158409ed9c3044dc0ae1f]
stable/4.4: [eb6875d48590d8e564092e831ff07fa384d7e477]
stable/4.9: [39c15bd2e5d11bcf7f4c3dba2aad9e1e110a5d94]
stable/5.10: [48ee0db61c8299022ec88c79ad137f290196cac2]
stable/5.4: [5d4c4b06ed9fb7a69d0b2e2a73fc73226d25ab70]

CVE-2021-38209: net/netfilter/nf_conntrack_standalone.c in the Linux
kernel before 5.12.2 allows observation of changes in any net
namespace because these changes are leaked into all other net
namespaces. This is related to the NF_SYSCTL_CT_MAX,
NF_SYSCTL_CT_EXPECT_MAX, and NF_SYSCTL_CT_BUCKETS sysctls.

This CVE is introduced by commit d0febd8 ("netfilter: conntrack:
re-visit sysctls in unprivileged namespaces") which is in since
5.7-rc1. Therefore before 5.7 kernels aren't affected this CVE.

Fixed status

mainline: [2671fa4dc0109d3fb581bc3078fdf17b5d9080f6]
stable/4.14: [68122479c128a929f8f7bdd951cfdc8dd0e75b8f]
stable/4.19: [9b288479f7a901a14ce703938596438559d7df55]
stable/4.9: [da50f56e826e1db141693297afb99370ebc160dd]
stable/5.10: [d3598eb3915cc0c0d8cab42f4a6258ff44c4033e]
stable/5.4: [baea536cf51f8180ab993e374cb134b5edad25e2]

Updated CVEs

No update.

Currenty traking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fixed information as of 2021/08/12.

CVE-2021-3640: UAF in sco_send_frame function

There is no fixed information as of 2021/08/12.

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6673): https://lists.cip-project.org/g/cip-dev/message/6673
Mute This Topic: https://lists.cip-project.org/mt/84830495/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 44+ messages in thread
* [cip-dev] New CVE entries this week
@ 2021-08-05  0:47 市川正美
  2021-08-05  9:00 ` Pavel Machek
  0 siblings, 1 reply; 44+ messages in thread
From: 市川正美 @ 2021-08-05  0:47 UTC (permalink / raw)
  To: cip-dev

[-- Attachment #1: Type: text/plain, Size: 7814 bytes --]

Hi !

It's this week's CVE report.

* CVE short summary

** New CVEs

CVE-2021-3659: stable kernels are fixed

CVE-2021-35477: mainline, v5.10, and v5.13 are fixed

CVE-2021-34556: mainline, v5.10, and v5.13 are fixed

CVE-2021-3669: According to redhat bugzilla, it said "Not reported
upstream, patches are being worked on."

CVE-2021-3679: mainline and stable kernels are fixed

** Updated CVEs

CVE-2021-29256: vulnerability is in 3rd party module.

CVE-2021-31829: v4.4 is not affected this vulnerability. other stable
kernels are fixed

CVE-2021-3655: Updated v4.4 fixed status. stable kernels are fixed.

CVE-2021-22543: v4.19 and v5.10 are fixed. v4.4 uses another way to
get pfn. If v4.4 is vulnerable it needs to write its own patch.

CVE-2021-21781: v4.4 and v4.9 are fixed. all stable kernels are fixed.

CVE-2021-37159: mainline, v5.10, v5.13 are fixed as of 2021/08/05


** Traking CVEs

CVE-2021-31615: there is no fixed information as of 2021/08/05

CVE-2021-3640: there is no fixed information as of 2021/08/05


* CVE detail

New CVEs

CVE-2021-3659: NULL pointer dereference in llsec_key_alloc() in
net/mac802154/llsec.c

Stable kernels are fixed.

Fixed status

mainline: [1165affd484889d4986cf3b724318935a0b120d8]
stable/4.14: [d103fd20f0539e2bd615ed6f6159537cb7e2c5ba]
stable/4.19: [c166c0f5311dc9de687b8985574a5ee5166d367e]
stable/4.4: [cd19d85e6d4a361beb11431af3d22248190f5b48]
stable/4.9: [c3883480ce4ebe5b13dbfdc9f2c6503bc9e8ab69]
stable/5.10: [38731bbcd9f0bb8228baaed5feb4a1f76530e49c]
stable/5.4: [38ea2b3ed00fb4632a706f2c796d6aa4a884f573]


CVE-2021-35477: unprivileged BPF program can obtain sensitive
information from kernel memory via a speculative store bypass
side-channel attack because the technique used by the BPF verifier to
manage speculation is unreliable

CVE-2021-34556 and CVE-2021-35477 are fixed by the same commits.
commit 2039f26f3aca fixes af86ca4e3088(introduced by v4.17-rc7) and
f7cf25b2026d(introduced by v5.3-rc1).

Fixed status
mainline: [f5e81d1117501546b7be050c5fbafa6efd2c722c,
2039f26f3aca5b0e419b98f65dd36481337b86ee]
stable/5.10: [bea9e2fd180892eba2574711b05b794f1d0e7b73,
0e9280654aa482088ee6ef3deadef331f5ac5fb0]
stable/5.13: [ddab060f996e17b38bb181c5fd11a83fd1bfa0df,
0b27bdf02c400684225ee5ee99970bcbf5082282]

CVE-2021-34556: unprivileged BPF program can obtain sensitive
information from kernel memory via a speculative store bypass
side-channel attack because of the possibility of uninitialized memory
locations on the BPF stack

CVE-2021-34556 and CVE-2021-35477 are fixed by same commits. commit
2039f26f3aca fixes af86ca4e3088(introduced by v4.17-rc7) and
f7cf25b2026d(introduced by v5.3-rc1).

Fixed status
mainline: [f5e81d1117501546b7be050c5fbafa6efd2c722c,
2039f26f3aca5b0e419b98f65dd36481337b86ee]
stable/5.10: [bea9e2fd180892eba2574711b05b794f1d0e7b73,
0e9280654aa482088ee6ef3deadef331f5ac5fb0]
stable/5.13: [ddab060f996e17b38bb181c5fd11a83fd1bfa0df,
0b27bdf02c400684225ee5ee99970bcbf5082282]

CVE-2021-3669: reading /proc/sysvipc/shm does not scale with large
shared memory segment counts

According to redhat bugzilla, it said "Not reported upstream, patches
are being worked on.  It is not considered high impact because of the
requirements and need to have massive amount of shm (usually well
above ulimits) ".

https://bugzilla.redhat.com/show_bug.cgi?id=1986473#c10

CVE-2021-3679: racing: Fix bug in rb_per_cpu_empty() that might cause deadloop

mainline and stable kernels are fixed.

Fixed status
mainline: [67f0d6d9883c13174669f88adac4f0ee656cc16a]
stable/4.14: [76598512d5d7fc407c319ca4448cf5348b65058a]
stable/4.19: [6a99bfee7f5625d2577a5c3b09a2bd2a845feb8a]
stable/4.4: [afa091792525dfa6c3c854069ec6b8a5ccc62c11]
stable/4.9: [7db12bae1a239d872d17e128fd5271da789bf99c]
stable/5.10: [757bdba8026be19b4f447487695cd0349a648d9e]
stable/5.13: [917a5bdd114a27c159796928cb3c09723a51d1c7]
stable/5.4: [f899f24d34d964593b16122a774c192a78e2ca56]

Updated CVEs

CVE-2021-29256: The Arm Mali GPU kernel driver allows an unprivileged
user to achieve access to freed memory, leading to information
disclosure or root privilege escalation

This driver is 3rd party module which is provided by ARM. Mainline
kernel doesn't provide driver code.
Bifrost and Valhall are fixed but Midgard driver is not fixed as of 2021/08/03.

CVE-2021-31829: kernel/bpf/verifier.c in the Linux kernel through
5.12.1 performs undesirable speculative loads, leading to disclosure
of stack content via side-channel attacks, aka CID-801c6058d14a

According to commit b9b34ddbe207, this CVE is introdueced by
979d63d50c0c. Also 979d63d50c0c fixes commit b215739 which was
released v4.15-rc8. so v4.4 is not affected this vulnerability.

Fixed status
mainline: [b9b34ddbe2076ade359cd5ce7537d5ed019e9807,
801c6058d14a82179a7ee17a4b532cac6fad067f]
stable/4.14: [4d542ddb88fb2f39bf7f14caa2902f3e8d06f6ba,
19e4f40ce75079b9532f35f92780db90104648f1]
stable/4.19: [0e2dfdc74a7f4036127356d42ea59388f153f42c,
bd9df99da9569befff2234b1201ac4e065e363d0]
stable/5.10: [2cfa537674cd1051a3b8111536d77d0558f33d5d,
2fa15d61e4cbaaa1d1250e67b251ff96952fa614]
stable/5.4: [53e0db429b37a32b8fc706d0d90eb4583ad13848,
8ba25a9ef9b9ca84d085aea4737e6c0852aa5bfd]

CVE-2021-3655: missing size validations on inbound SCTP packets

Update v4.4 fixed status. stable kernels are fixed.

Fixed status
mainline: [0c5dc070ff3d6246d22ddd931f23a6266249e3db,
50619dbf8db77e98d821d615af4f634d08e22698,
    b6ffe7671b24689c09faa5675dd58f93758a97ae,
ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9]
stable/4.19: [c7a03ebace4f9cd40d9cd9dd5fb2af558025583c,
dd16e38e1531258d332b0fc7c247367f60c6c381]
stable/4.4: [48cd035cad5b5fad0648aa8294c4223bedb166dd]
stable/4.9: [c7da1d1ed43a6c2bece0d287e2415adf2868697e]
stable/5.10: [d4dbef7046e24669278eba4455e9e8053ead6ba0,
6ef81a5c0e22233e13c748e813c54d3bf0145782]

CVE-2021-22543: An issue was discovered in the Linux: KVM through
Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks
and can lead to pages being freed while still accessible by the VMM
and guest

The hva_to_pfn_remapped() doesn't exist in v4.4 kernel and it use
different way to get pfn.
If v4.4 affects this CVE, it'll need to write a patch.

Fixed status
mainline: [f8be156be163a052a067306417cd0ff679068c97]
stable/4.19: [117777467bc015f0dc5fc079eeba0fa80c965149]
stable/5.10: [dd8ed6c9bc2224c1ace5292d01089d3feb7ebbc3]
stable/5.12: [c36fbd888dcc27d365c865e6c959d7f7802a207c]
stable/5.4: [bb85717e3797123ae7724751af21d0c9d605d61e]

CVE-2021-21781: Arm SIGPAGE information disclosure vulnerability

All stable kernels are fixed.

Fixed status
mainline: [9c698bff66ab4914bb3d71da7dc6112519bde23e]
stable/4.14: [b71cc506778eb283b752400e234784ee86b5891c]
stable/4.19: [80ef523d2cb719c3de66787e922a96b5099d2fbb]
stable/4.4: [8db77dca7e1d1d1d6aa9334207ead57853832bb7]
stable/4.9: [aa1b5f2fe4532e99986f1eee2c04bb7d314e3007]
stable/5.10: [7913ec05fc02ccd7df83280451504b0a3e543097]
stable/5.4: [f49bff85b6dbb60a410c7f7dc53b52ee1dc22470]

CVE-2021-37159: hso_free_net_device in drivers/net/usb/hso.c in the
Linux kernel through 5.13.4 calls unregister_netdev without checking
for the NETREG_REGISTERED state, leading to a use-after-free and a
double free.

The mainline, 5.10, 5.13 are fixed.

Fixed status
mainline: [a6ecfb39ba9d7316057cea823b196b734f6b18ca]
stable/5.10: [115e4f5b64ae8d9dd933167cafe2070aaac45849]
stable/5.13: [eeaa4b8d1e2e6f10362673d283a97dccc7275afa]

Currenty traking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fixed information as of 2021/08/03

CVE-2021-3640: UAF in sco_send_frame function

There is no fixed information as of 2021/08/03.

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6656): https://lists.cip-project.org/g/cip-dev/message/6656
Mute This Topic: https://lists.cip-project.org/mt/84675707/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 44+ messages in thread
* [cip-dev] New CVE entries this week
@ 2021-07-29  1:18 市川正美
  2021-07-29  7:47 ` Pavel Machek
  2021-07-29  7:50 ` Nobuhiro Iwamatsu
  0 siblings, 2 replies; 44+ messages in thread
From: 市川正美 @ 2021-07-29  1:18 UTC (permalink / raw)
  To: cip-dev

[-- Attachment #1: Type: text/plain, Size: 4432 bytes --]

Hi !

Here is this week's CVE report.

* CVE short summary

** New CVEs

CVE-2021-3640: there is no fixed information as of 2021/07/29.

CVE-2021-37576: mainline and stable kernels are fixed. This CVE only
affects powerpc architecture.

** Updated CVEs

CVE-2021-31829: I fixed wrong security information.

CVE-2021-22543: added stable/4.19 fixed commit.

** Traking CVEs

CVE-2021-29256: not fiexd in mainline yet

CVE-2021-31615: not fiexd in mainline yet

CVE-2021-21781: v4.4 is not fixed as of 2021/07/29

CVE-2021-3655: v4.4 is not fixed as of 2021/07/29

CVE-2021-37159: mainline is not fixed as of 2021/07/29

* CVE detail

New CVEs

- CVE-2021-3640: Linux kernel: UAF in sco_send_frame function

Not fixed in mainline.

From email(https://www.openwall.com/lists/oss-security/2021/07/22/1)

-------------
2021-07-08: Bug reported to security@...nel.org and
linux-distros@...openwall.org
2021-07-09: CVE-2021-3640 is assigned
2021-07-22: 14 days of the embargo is over

One sad thing is that the bluez team is currently focused on fixing up the
CVE-2021-3573, which I failed to properly patched, and the patch for this
new is not yet fully discussed.
I hope the patch will be settled down and merged to the mainline in the
near future.
-------------

CVE-2021-37576: KVM guest to host memory corruption

This vulnerability only affects PowerPC architecture.

No CIP memeber uses PPC architecture.

Fixed status
mainline: [f62f3c20647ebd5fb6ecb8f0b477b9281c44c10a]
stable/4.19: [0493b10c06021796ba80cbe53c961defd5aca6e5]
stable/4.4: [1e90a673f6ee09c668fe01aa1b94924f972c9811]
stable/5.10: [c1fbdf0f3c26004a2803282fdc1c35086908a99e]

 Updated CVEs

CVE-2021-22543: KVM through Improper handling of VM_IO|VM_PFNMAP vmas
in KVM can bypass RO checks and can lead to pages being freed while
still accessible by the VMM and guest

Added stable/4.19 fixed commit.

v4.4 kernel gets pfn following way in hva_to_pfn(). It not uses
kvm_get_pfn(). hva_to_pfn_remapped() doesn't exist in v4.4 kernel.

            else if ((vma->vm_flags & VM_PFNMAP)) {
                    pfn = ((addr - vma->vm_start) >> PAGE_SHIFT) +
                            vma->vm_pgoff;


If v4.4 has same vulnerability, it'll need to write a patch by own.

CVE-2021-31829: Linux kernel protection of stack pointer against
speculative pointer arithmetic can be bypassed to leak content of
kernel memory

Fixed status
mainline: [f8be156be163a052a067306417cd0ff679068c97]
stable/4.19: [117777467bc015f0dc5fc079eeba0fa80c965149]
stable/5.10: [dd8ed6c9bc2224c1ace5292d01089d3feb7ebbc3]

There was wrong informaition so I updated it.
stable/5.10 is fixed but cip/5.10 is not fixed yet.

Currenty traking CVEs

CVE-2021-29256: The Arm Mali GPU kernel driver allows an unprivileged
user to achieve access to freed memory

Not fiexd in mainline yet

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

Not fiexd in mainline yet

CVE-2021-21781: Arm SIGPAGE information disclosure vulnerability

v4.4 is not fixed as of 2021/07/29

Fixed status
mainline: [9c698bff66ab4914bb3d71da7dc6112519bde23e]
stable/4.19: [80ef523d2cb719c3de66787e922a96b5099d2fbb]
stable/5.10: [7913ec05fc02ccd7df83280451504b0a3e543097]

CVE-2021-3655: missing size validations on inbound SCTP packets

According to cip-kernel-sec's scripts v4.4 is not fixed as of 2021/07/29

One of a patch 50619dbf8db77e98d821d615af4f634d08e22698 is included.
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/sctp?h=linux-4.4.y&id=48cd035cad5b5fad0648aa8294c4223bedb166dd

Fixed status
mainline: [0c5dc070ff3d6246d22ddd931f23a6266249e3db,
50619dbf8db77e98d821d615af4f634d08e22698,b6ffe7671b24689c09faa5675dd58f93758a97ae,
ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9]
stable/4.19: [c7a03ebace4f9cd40d9cd9dd5fb2af558025583c,
dd16e38e1531258d332b0fc7c247367f60c6c381]
stable/4.9: [c7da1d1ed43a6c2bece0d287e2415adf2868697e]
stable/5.10: [d4dbef7046e24669278eba4455e9e8053ead6ba0,
6ef81a5c0e22233e13c748e813c54d3bf0145782]


CVE-2021-37159: hso_free_net_device in drivers/net/usb/hso.c in the
Linux kernel through 5.13.4 calls unregister_netdev without checking
for the NETREG_REGISTERED state, leading to a use-after-free and a
double free.

The mainline is not fixed as of 2021/07/29

Regards,


-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6637): https://lists.cip-project.org/g/cip-dev/message/6637
Mute This Topic: https://lists.cip-project.org/mt/84519830/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 44+ messages in thread
* [cip-dev] New CVE entries this week
@ 2021-07-22  2:02 市川正美
  0 siblings, 0 replies; 44+ messages in thread
From: 市川正美 @ 2021-07-22  2:02 UTC (permalink / raw)
  To: cip-dev

[-- Attachment #1: Type: text/plain, Size: 2689 bytes --]

Hi !

Here is this week's CVE report.

* CVE short summary

** New CVEs

CVE-2021-21781: stable/4.19 and stable/5.10 are fixed. stable/4.4 is
not fixed yet.
CVE-2021-33909: stable/4.4, stable/4.19, and stable/5.10 are fixed.
CVE-2021-3655: stable/4.19 and stable/5.10 are fixed. stable/4.4 is
not fixed yet.
CVE-2021-37159: not fixed in mainline.

** Updated CVEs

CVE-2020-8835: stable/4.4, stable/4.19, and stable/5.10 aren't affected.

* CVE detail

New CVEs

- CVE-2021-21781: Arm SIGPAGE information disclosure vulnerability

The stable/4.4 kernel is not fixed yet. The stable/4.4 kernel's
get_signal_page() in arch/arm/kernel/signal.c seems to be vulnerabile
too.

Fixed commit

mainline: [9c698bff66ab4914bb3d71da7dc6112519bde23e]
stalbe/4.4: not fixed yet
stable/4.19: [80ef523d2cb719c3de66787e922a96b5099d2fbb]
stable/5.10: [7913ec05fc02ccd7df83280451504b0a3e543097]

- CVE-2021-33909: size_t-to-int vulnerability in Linux's filesystem layer

Fixed commit

mainline: [8cae8cd89f05f6de223d63e6d15e31c8ba9cf53b]
stable/4.19: [6de9f0bf7cacc772a618699f9ed5c9f6fca58a1d]
stable/4.4: [3533e50cbee8ff086bfa04176ac42a01ee3db37d]
stable/5.10: [174c34d9cda1b5818419b8f5a332ced10755e52f]

- CVE-2021-3655: missing size validations on inbound SCTP packets

stable/4.4(v4.4.276) contains upstream commit
50619dbf8db77e98d821d615af4f634d08e22698
(https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v4.4.276&id=48cd035cad5b5fad0648aa8294c4223bedb166dd).

Fixed commit

mainline: [0c5dc070ff3d6246d22ddd931f23a6266249e3db,
50619dbf8db77e98d821d615af4f634d08e22698,
    b6ffe7671b24689c09faa5675dd58f93758a97ae,
ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9]
stable/4.19: [c7a03ebace4f9cd40d9cd9dd5fb2af558025583c,
dd16e38e1531258d332b0fc7c247367f60c6c381]
stable/5.10: [d4dbef7046e24669278eba4455e9e8053ead6ba0,
6ef81a5c0e22233e13c748e813c54d3bf0145782]

- CVE-2021-37159: hso_free_net_device in drivers/net/usb/hso.c in the
Linux kernel through 5.13.4 calls unregister_netdev without checking
for the NETREG_REGISTERED state, leading to a use-after-free and a
double free.

Original patch is not  merged.

Updated CVEs

- CVE-2020-8835: bpf verifier (kernel/bpf/verifier.c) did not properly
restrict the register bounds for 32-bit operations, leading to
out-of-bounds reads and writes in kernel memory

This CVE is introduced in v5.5-rc1; fixed in v5.7-rc1. Therefore
stable/4.4, stable/4.19, and stable/5.10 aren't affected.

From last week CVEs

CVE-2021-29256: not fixed in mainline yet
CVE-2021-31615: not fixed in mainline yet


Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6627): https://lists.cip-project.org/g/cip-dev/message/6627
Mute This Topic: https://lists.cip-project.org/mt/84371343/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 44+ messages in thread
* [cip-dev] New CVE entries this week
@ 2021-07-15  1:00 市川正美
  0 siblings, 0 replies; 44+ messages in thread
From: 市川正美 @ 2021-07-15  1:00 UTC (permalink / raw)
  To: cip-dev

[-- Attachment #1: Type: text/plain, Size: 3674 bytes --]

Hi !

It's this week's CVE report.

CVE Summary

There is one new CVE.

CVE-2021-22555: Affects all CIP kernels

There is two updated CVEs

CVE-2021-34693: CIP kernel 4.19, 4.19-rt, 4.4 are fixed
CVE-2021-35039: CIP kernel 4.19 and 4.4 are fixed

From last week CVEs

CVE-2020-28097: CIP kernels are fixed
CVE-2021-29256: it seems not fixed in mainline yet
CVE-2021-31615: it seems not fixed in mainline yet
CVE-2021-35039: CIP kernel 4.4 and 4.4-rt aren't affected. 4.19 is fixed

* New CVEs detail

- 2021/07/12

CVE-2021-22555 -- Heap Out-Of-Bounds Write in xt_compat_target_from_user

The compat IPT_SO_SET_REPLACE/IP6T_SO_SET_REPLACE setsockopt
implementation in the netfilter subsystem in the Linux kernel allows
local users to gain privileges or cause a denial of service (heap
memory corruption) via user namespace.

This vulnerability affects from v2.6.19-rc1 to v5.11.

Fixed status.
cip/4.19: [12ec80252edefff00809d473a47e5f89c7485499]
cip/4.19-rt: [12ec80252edefff00809d473a47e5f89c7485499]
cip/4.4: [b0d98b2193a38ef93c92e5e1953d134d0f426531]
cip/4.4-rt: not fixed yet
cip/5.10: not fixed yet

* Updated CVEs detail

CVE-2021-34693 -- can: bcm: fix infoleak in struct bcm_msg_head

Fixed status

cip/4.19: [8899857d7e450805e6410de5004126491f197146]
cip/4.19-rt: not fixed yet
cip/4.4: [f638caa211e7a121a5596986d29ebbdaf9156398]
cip/4.4-rt: not fixed yet
cip/5.10: not fixed yet

CVE-2021-35039 -- module: limit enabling module.sig_enforce

Fixed status

cip/4.19: [ff660863628fb144badcb3395cde7821c82c13a6]
cip/4.19-rt: not fixed yet
cip/4.4: not affected
cip/4.4-rt: not affected
cip/5.10: not fixed yet

* From last week CVE report

CVE-2020-28097 -- vgacon_scrolldelta out-of-bounds read

This vulnerability affects before v5.9-rc6, so v5.10 kernel doesn't affect.

Fixed status

cip/4.19: [f5fa64c8daf7b97280865c73903edc0a3eea819e]
cip/4.19-rt: [f5fa64c8daf7b97280865c73903edc0a3eea819e]
cip/4.4: [5f76b4c6ac297ce836abe17f495123f45bfc4fb3]
cip/4.4-rt: [5f76b4c6ac297ce836abe17f495123f45bfc4fb3]
cip/5.10: not affected

Since CONFIG_VGACON_SOFT_SCROLLBACK option has been removed by this
CVE fix, we can remove this option from these configs in
cip-kernel-config repo.

- 4.19.y-cip/x86/cip_qemu_defconfig
- 4.19.y-cip/x86/plathome_obsvx2.config
- 4.19.y-cip-rt/x86/siemens_i386-rt.config
- 4.4.y-cip/x86/cip_qemu_defconfig


CVE-2021-29256.yml -- Mali GPU Kernel Driver elevates CPU RO pages to writable

According to the
https://developer.arm.com/support/arm-security-updates/mali-gpu-kernel-driver
, it said "This issue is fixed in Bifrost and Valhall GPU Kernel
Driver r30p0. It will be fixed in future Midgard release. Users are
recommended to upgrade if they are impacted by this issue." so it
seems that CVE hasn't been fixed yet.

CVE-2021-31615 -- InjectaBLE: Injecting malicious traffic into
established Bluetooth Low Energy connections

According to the
https://developer.arm.com/support/arm-security-updates/mali-gpu-kernel-driver
, it said "This issue is fixed in Bifrost and Valhall GPU Kernel
Driver r30p0. It will be fixed in future Midgard release. Users are
recommended to upgrade if they are impacted by this issue." so it
seems that CVE hasn't been fixed yet.

CVE-2021-35039 -- Without CONFIG_MODULE_SIG, verification that a
kernel module is signed, for loading via init_module, does not occur
for a module.sig_enforce=1 command-line argument.

Fixed status

cip/4.19: [ff660863628fb144badcb3395cde7821c82c13a6]
cip/linux-4.4: not affected
cip/linux-4.4-rt: not affected
cip/5.10: not fixed yet

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6621): https://lists.cip-project.org/g/cip-dev/message/6621
Mute This Topic: https://lists.cip-project.org/mt/84216032/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 44+ messages in thread
* [cip-dev] New CVE entries this week
@ 2021-07-08  0:21 市川正美
  2021-07-11  8:32 ` Pavel Machek
  0 siblings, 1 reply; 44+ messages in thread
From: 市川正美 @ 2021-07-08  0:21 UTC (permalink / raw)
  To: cip-dev

[-- Attachment #1: Type: text/plain, Size: 1695 bytes --]

Hi!

These are the new issues this week:

* 2021/06/30

CVE-2020-28097 -- vgacon_scrolldelta out-of-bounds read

This commit removes software scrollback support. So,
CONFIG_VGACON_SOFT_SCROLLBACK option is removed from kernel.
Accoring to the cip-kernel-config repo, following configs set
CONFIG_VGACON_SOFT_SCROLLBACK option.

- 4.19.y-cip/x86/cip_qemu_defconfig
- 4.19.y-cip/x86/plathome_obsvx2.config
- 4.19.y-cip-rt/x86/siemens_i386-rt.config
- 4.4.y-cip/x86/cip_qemu_defconfig

This vulnerability affects before Linux 5.8.10 therefore Linux 5.10.y
series do not affect.

CVE-2020-36387 -- fs/io_uring.c has a use-after-free related to
io_async_task_func and ctx reference holding

This CVE affects before Linux 5.8.2. However io_uring was introduced
at Linux 5.1 so that CIP kernels aren't affected by this
vulnerability.

CVE-2021-29256.yml -- Mali GPU Kernel Driver elevates CPU RO pages to writable

Following GPU architectures are affected.

- Bifrost r16p0 through r29p0 before r30p0
- Valhall r19p0 through r29p0 before r30p0
- Midgard r28p0 through r30p0

CVE-2021-31615 -- InjectaBLE: Injecting malicious traffic into
established Bluetooth Low Energy connections

Unencrypted Bluetooth Low Energy baseband links in Bluetooth Core
Specifications 4.0 through 5.2 are affected.

* 2021/07/08

CVE-2021-35039 -- Without CONFIG_MODULE_SIG, verification that a
kernel module is signed, for loading via init_module, does not occur
for a module.sig_enforce=1 command-line argument.

This CVE affects v4.15 to v5.12, so v4.4 kernel doesn't affect.

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6608): https://lists.cip-project.org/g/cip-dev/message/6608
Mute This Topic: https://lists.cip-project.org/mt/84058381/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 44+ messages in thread
* [cip-dev] New CVE entries this week
@ 2021-06-18  8:03 Pavel Machek
  2021-06-20 23:51 ` 市川正美
  0 siblings, 1 reply; 44+ messages in thread
From: Pavel Machek @ 2021-06-18  8:03 UTC (permalink / raw)
  To: cip-dev


[-- Attachment #1.1: Type: text/plain, Size: 902 bytes --]

Hi!

In last import, CVE-2020-36385 and CVE-2020-36386 was confused. That's
fixed now. And we have following new issues:

* 2021-06-13

CVE-2021-0129 -- Passkey Entry protocol of the Bluetooth Core is
vulnerable to an impersonation, fixed 4.9+

CVE-2021-0512 -- HID arrays, fixed 4.9+

CVE-2021-28691 -- Xen, fixed 5.10+

CVE-2021-3573 -- Bluetooth UAF, fixed 4.9+

* 2021-06-18

CVE-2021-32078 -- ARM: footbridge:, hopefully noone uses this

CVE-2021-34693 -- can: bcm: fix infoleak in struct bcm_msg_head

CVE-2020-36386 -- An issue was discovered in the Linux kernel before
5.8.1. net/bluetooth/hci_event.c has a slab out-of-bounds read in
hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf.

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6535): https://lists.cip-project.org/g/cip-dev/message/6535
Mute This Topic: https://lists.cip-project.org/mt/83449660/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 44+ messages in thread
* [cip-dev] New CVE entries this week
@ 2021-06-10 17:05 Pavel Machek
  2021-06-17  2:09 ` 市川正美
  2021-06-17  2:45 ` 市川正美
  0 siblings, 2 replies; 44+ messages in thread
From: Pavel Machek @ 2021-06-10 17:05 UTC (permalink / raw)
  To: cip-dev


[-- Attachment #1.1: Type: text/plain, Size: 983 bytes --]

Hi!

These are the new issues this week:

Best regards,
								Pavel

* 2021-06-04

CVE-2021-33200 -- BPF fix turned out to be buggy.

* 2021-06-09

CVE-2021-0606 -- EoP in GPU DRM Driver / reported by android, probably upstream commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31 ... may be interesting?

CVE-2021-3587 -- redhat Bugzilla 1968057: CVE-2021-3587 kernel: nfc: Null pointer dereference in llcp_sock_getname

CVE-2020-36385 -- An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of-bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf.

CVE-2020-36387 -- An issue was discovered in the Linux kernel before 5.8.2. fs/io_uring.c has a use-after-free related to io_async_task_func and ctx reference holding, aka CID-6d816e088c35.








-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6501): https://lists.cip-project.org/g/cip-dev/message/6501
Mute This Topic: https://lists.cip-project.org/mt/83449660/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 44+ messages in thread
end of thread, other threads:[~2023-07-27 11:31 UTC | newest]

Thread overview: 44+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-08 23:44 New CVE entries this week Masami Ichikawa
2022-06-09  9:41 ` [cip-dev] " Pavel Machek
2022-06-09 12:06   ` Masami Ichikawa
  -- strict thread matches above, loose matches on Subject: below --
2023-07-26 23:15 Masami Ichikawa
2023-07-27  9:26 ` [cip-dev] " Pavel Machek
2023-07-27 11:30   ` Masami Ichikawa
2023-06-14 22:43 Masami Ichikawa
2023-06-15  8:41 ` [cip-dev] " Pavel Machek
2023-06-15 11:52   ` Masami Ichikawa
2022-11-09 23:02 Masami Ichikawa
2022-11-10  8:33 ` [cip-dev] " Pavel Machek
2022-10-20  0:48 Masami Ichikawa
2022-10-20  7:58 ` [cip-dev] " Pavel Machek
2022-10-20 13:10   ` Masami Ichikawa
2022-06-15 23:44 Masami Ichikawa
2022-06-16 12:04 ` [cip-dev] " Pavel Machek
2022-02-17  0:09 Masami Ichikawa
2022-02-17 11:55 ` [cip-dev] " Pavel Machek
2021-08-26  1:09 Masami Ichikawa
2021-08-26 10:01 ` Pavel Machek
     [not found] ` <169ED2F66B4753DB.9667@lists.cip-project.org>
2021-08-26 11:51   ` Pavel Machek
2021-08-26 12:43     ` Masami Ichikawa
2021-08-19  0:12 市川正美
2021-08-19  7:10 ` Pavel Machek
2021-08-19  8:37   ` Masami Ichikawa
2021-08-19  8:55   ` Nobuhiro Iwamatsu
2021-08-12  0:33 市川正美
2021-08-12  5:43 ` Pavel Machek
2021-08-12  8:40   ` 市川正美
2021-08-05  0:47 市川正美
2021-08-05  9:00 ` Pavel Machek
2021-08-06  0:46   ` 市川正美
2021-07-29  1:18 市川正美
2021-07-29  7:47 ` Pavel Machek
2021-07-29  8:11   ` 市川正美
2021-07-29  8:58     ` Pavel Machek
2021-07-29  7:50 ` Nobuhiro Iwamatsu
2021-07-29  8:12   ` 市川正美
2021-07-22  2:02 市川正美
2021-07-15  1:00 市川正美
2021-07-08  0:21 市川正美
2021-07-11  8:32 ` Pavel Machek
2021-07-11 11:13   ` masashi.kudo
2021-06-18  8:03 Pavel Machek
2021-06-20 23:51 ` 市川正美
2021-06-10 17:05 Pavel Machek
2021-06-17  2:09 ` 市川正美
2021-06-17 11:04   ` Masami Ichikawa
2021-06-18  8:01   ` Pavel Machek
2021-06-17  2:45 ` 市川正美

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).