New CVE entries in this week

New CVE entries in this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 4 new CVEs.

* New CVEs

CVE-2021-0920: af_unix: fix garbage collect vs MSG_PEEK

CVSS v3 score is not provided.

Mainline and stable kernels are already fixed.

Fixed status

mainline: [cbcf01128d0a92e131bd09f1688fe032480b65ca]
stable/4.14: [af3e2b87b36100c28feb71da52c57293c4540690]
stable/4.19: [1dabafa9f61118b1377fde424d9a94bf8dbf2813]
stable/4.4: [72247f34d90e25c1493436e45e193e8306082b19]
stable/4.9: [a805a7bd94644207d762d9c287078fecfcf52b3e]
stable/5.10: [93c5951e0ce137e994237c19cd75a7caa1f80543]
stable/5.4: [85abe0d47fe65391ed41f78a66b5eff73987c086]

CVE-2021-0929: staging: ion: move buffer kmap from begin/end_cpu_access()

CVSS v3 score is not provided.

ION is a memory manager which is used by Android. This CVE may affect
4.4, 4.19, and 5.10 however according to the cip-kernel-config, no cip
member enabled ION. The ION driver has been removed since 5.11.

Fixed status

mainline: [3e9e0c5c764704218c0960ffdb139de075afaadf]

CVE-2021-3736: uninitialized kernel stack may lead to information disclosure

According to the Red Hat
bugzilla(https://bugzilla.redhat.com/show_bug.cgi?id=1995570), there
is a memory leak problem in samples/vfio-mdev/mbochs.c. This
vulnerability is in a sample code. Also no cip member enabled
CONFIG_SAMPLE_VFIO_MDEV_MBOCHS. Bugzilla comment #6 pointed commit
de5494af4815a4c9328536c72741229b7de88e7f ("vfio/mbochs: Fix missing
error unwind of mbochs_used_mbytes
") as a fix commit but not confirmed yet. If commit de5494af4815a is
the fix, this vulnerability was introduced since 5.14-rc1.

Fixed status

Not fixed.

CVE-2021-43389: isdn: cpai: check ctr->cnr to avoid array index out of bound

CVSS v3 score is "5.5 MEDIUM".

The array index out of bound bug in the drivers/isdn/capi/kcapi.c.
This bug has been fixed in mainline and stable kernels. No cip member
use CAPI.

Fixed status

mainline: [1f3e2e97c003f80c4b087092b225c8787ff91e4d]
stable/4.14: [9b6b2db77bc3121fe435f1d4b56e34de443bec75]
stable/4.19: [7d91adc0ccb060ce564103315189466eb822cc6a]
stable/4.4: [e8b8de17e164c9f1b7777f1c6f99d05539000036]
stable/4.9: [24219a977bfe3d658687e45615c70998acdbac5a]
stable/5.10: [7f221ccbee4ec662e2292d490a43ce6c314c4594]
stable/5.14: [cc20226e218a2375d50dd9ac14fb4121b43375ff]
stable/5.4: [285e9210b1fab96a11c0be3ed5cea9dd48b6ac54]


* Updated CVEs

CVE-2021-42739: media: firewire: firedtv-avc: fix a buffer overflow in
avc_ca_pmt()

4.19 and 5.X kernels have been fixed in this week. However, appliying
patch to 4.4 and 4.9 are failed.
According to the cip-kernel-config repo, no CIP member uses firewire driver.

Fixed status

mainline: [35d2969ea3c7d32aee78066b1f3cf61a0d935a4e]
stable/4.19: [53ec9dab4eb0a8140fc85760fb50effb526fe219]
stable/5.10: [d7fc85f6104259541ec136199d3bf7c8a736613d]
stable/5.14: [02a476ca886dc8155025fe99cbbad4121d029fa7]
stable/5.15: [cb667140875a3b1db92e4c50b4617a7cbf84659b]
stable/5.4: [2461f38384d50dd966e1db44fe165b1896f5df5a]

CVE-2021-3892: memory leak in fib6_rule_suppress could result in DoS

According to the SUSE bugzilla
(https://bugzilla.suse.com/show_bug.cgi?id=1192261#c1), this CVE is
duplicate of CVE-2019-18198.
If so, this CVE is already fixed.

CVE-2021-3640: UAF in sco_send_frame function

Fixed commit is 99c23da0eed4fd20cae8243f2b51e10e66aa0951 ("Bluetooth:
sco: Fix lock_sock() blockage by memcpy_from_msg()"). Backport patches
for 4.19, 5.4, 5.10, 5.14, and 5.15 have been sent to stable mailing
list on Nov 9. This fix can be applied to 4.4 by git-am without error.

mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

Re: [cip-dev] New CVE entries in this week

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 3404 bytes --]

Hi!

> CVE-2021-0929: staging: ion: move buffer kmap from begin/end_cpu_access()
> 
> CVSS v3 score is not provided.
> 
> ION is a memory manager which is used by Android. This CVE may affect
> 4.4, 4.19, and 5.10 however according to the cip-kernel-config, no cip
> member enabled ION. The ION driver has been removed since 5.11.
> 
> Fixed status
> 
> mainline: [3e9e0c5c764704218c0960ffdb139de075afaadf]

Furthermore, CIP members should really not be using code from staging.

> * Updated CVEs
> 
> CVE-2021-42739: media: firewire: firedtv-avc: fix a buffer overflow in
> avc_ca_pmt()
> 
> 4.19 and 5.X kernels have been fixed in this week. However, appliying
> patch to 4.4 and 4.9 are failed.
> According to the cip-kernel-config repo, no CIP member uses firewire driver.

This one looks rather easy to backport. It failed only because
reformatting of the printk.

> CVE-2021-3640: UAF in sco_send_frame function
> 
> Fixed commit is 99c23da0eed4fd20cae8243f2b51e10e66aa0951 ("Bluetooth:
> sco: Fix lock_sock() blockage by memcpy_from_msg()"). Backport patches
> for 4.19, 5.4, 5.10, 5.14, and 5.15 have been sent to stable mailing
> list on Nov 9. This fix can be applied to 4.4 by git-am without error.
> 
> mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951]

Would it make sense to ask why it was not applied?

Best regards,
								Pavel

diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c
index 280b5ffea592..3a373711f5ad 100644
--- a/drivers/media/firewire/firedtv-avc.c
+++ b/drivers/media/firewire/firedtv-avc.c
@@ -1169,7 +1169,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
 		read_pos += program_info_length;
 		write_pos += program_info_length;
 	}
-	while (read_pos < length) {
+	while (read_pos + 4 < length) {
+		if (write_pos + 4 >= sizeof(c->operand) - 4) {
+			ret = -EINVAL;
+			goto out;
+		}
 		c->operand[write_pos++] = msg[read_pos++];
 		c->operand[write_pos++] = msg[read_pos++];
 		c->operand[write_pos++] = msg[read_pos++];
@@ -1181,13 +1185,17 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
 		c->operand[write_pos++] = es_info_length >> 8;
 		c->operand[write_pos++] = es_info_length & 0xff;
 		if (es_info_length > 0) {
+			if (read_pos >= length) {
+				ret = -EINVAL;
+				goto out;
+			}
 			pmt_cmd_id = msg[read_pos++];
 			if (pmt_cmd_id != 1 && pmt_cmd_id != 4)
 				dev_err(fdtv->device, "invalid pmt_cmd_id %d "
 					"at stream level\n", pmt_cmd_id);
 
-			if (es_info_length > sizeof(c->operand) - 4 -
-					     write_pos) {
+			if (es_info_length > sizeof(c->operand) - 4 - write_pos ||
+			    es_info_length > length - read_pos) {
 				ret = -EINVAL;
 				goto out;
 			}
diff --git a/drivers/media/firewire/firedtv-ci.c b/drivers/media/firewire/firedtv-ci.c
index e63f582378bf..f07482fb8010 100644
--- a/drivers/media/firewire/firedtv-ci.c
+++ b/drivers/media/firewire/firedtv-ci.c
@@ -138,6 +138,8 @@ static int fdtv_ca_pmt(struct firedtv *fdtv, void *arg)
 	} else {
 		data_length = msg->msg[3];
 	}
+	if (data_length > sizeof(msg->msg) - data_pos)
+		return -EINVAL;
 
 	return avc_ca_pmt(fdtv, &msg->msg[data_pos], data_length);
 }

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [cip-dev] New CVE entries in this week

[Masami Ichikawa]

Hi !

On Thu, Nov 11, 2021 at 6:21 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > CVE-2021-0929: staging: ion: move buffer kmap from begin/end_cpu_access()
> >
> > CVSS v3 score is not provided.
> >
> > ION is a memory manager which is used by Android. This CVE may affect
> > 4.4, 4.19, and 5.10 however according to the cip-kernel-config, no cip
> > member enabled ION. The ION driver has been removed since 5.11.
> >
> > Fixed status
> >
> > mainline: [3e9e0c5c764704218c0960ffdb139de075afaadf]
>
> Furthermore, CIP members should really not be using code from staging.
>
> > * Updated CVEs
> >
> > CVE-2021-42739: media: firewire: firedtv-avc: fix a buffer overflow in
> > avc_ca_pmt()
> >
> > 4.19 and 5.X kernels have been fixed in this week. However, appliying
> > patch to 4.4 and 4.9 are failed.
> > According to the cip-kernel-config repo, no CIP member uses firewire driver.
>
> This one looks rather easy to backport. It failed only because
> reformatting of the printk.
>

Thank you for the patch! The patch looks good to me.

> > CVE-2021-3640: UAF in sco_send_frame function
> >
> > Fixed commit is 99c23da0eed4fd20cae8243f2b51e10e66aa0951 ("Bluetooth:
> > sco: Fix lock_sock() blockage by memcpy_from_msg()"). Backport patches
> > for 4.19, 5.4, 5.10, 5.14, and 5.15 have been sent to stable mailing
> > list on Nov 9. This fix can be applied to 4.4 by git-am without error.
> >
> > mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951]
>
> Would it make sense to ask why it was not applied?
>

Yes, I think so.

> Best regards,
>                                                                 Pavel
>
> diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c
> index 280b5ffea592..3a373711f5ad 100644
> --- a/drivers/media/firewire/firedtv-avc.c
> +++ b/drivers/media/firewire/firedtv-avc.c
> @@ -1169,7 +1169,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
>                 read_pos += program_info_length;
>                 write_pos += program_info_length;
>         }
> -       while (read_pos < length) {
> +       while (read_pos + 4 < length) {
> +               if (write_pos + 4 >= sizeof(c->operand) - 4) {
> +                       ret = -EINVAL;
> +                       goto out;
> +               }
>                 c->operand[write_pos++] = msg[read_pos++];
>                 c->operand[write_pos++] = msg[read_pos++];
>                 c->operand[write_pos++] = msg[read_pos++];
> @@ -1181,13 +1185,17 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
>                 c->operand[write_pos++] = es_info_length >> 8;
>                 c->operand[write_pos++] = es_info_length & 0xff;
>                 if (es_info_length > 0) {
> +                       if (read_pos >= length) {
> +                               ret = -EINVAL;
> +                               goto out;
> +                       }
>                         pmt_cmd_id = msg[read_pos++];
>                         if (pmt_cmd_id != 1 && pmt_cmd_id != 4)
>                                 dev_err(fdtv->device, "invalid pmt_cmd_id %d "
>                                         "at stream level\n", pmt_cmd_id);
>
> -                       if (es_info_length > sizeof(c->operand) - 4 -
> -                                            write_pos) {
> +                       if (es_info_length > sizeof(c->operand) - 4 - write_pos ||
> +                           es_info_length > length - read_pos) {
>                                 ret = -EINVAL;
>                                 goto out;
>                         }
> diff --git a/drivers/media/firewire/firedtv-ci.c b/drivers/media/firewire/firedtv-ci.c
> index e63f582378bf..f07482fb8010 100644
> --- a/drivers/media/firewire/firedtv-ci.c
> +++ b/drivers/media/firewire/firedtv-ci.c
> @@ -138,6 +138,8 @@ static int fdtv_ca_pmt(struct firedtv *fdtv, void *arg)
>         } else {
>                 data_length = msg->msg[3];
>         }
> +       if (data_length > sizeof(msg->msg) - data_pos)
> +               return -EINVAL;
>
>         return avc_ca_pmt(fdtv, &msg->msg[data_pos], data_length);
>  }
>
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#6876): https://lists.cip-project.org/g/cip-dev/message/6876
> Mute This Topic: https://lists.cip-project.org/mt/86970992/4520416
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129101/4520416/1465703922/xyzzy [masami.ichikawa@miraclelinux.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries in this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 4 new CVEs.

* New CVEs

CVE-2022-0322: sctp: account stream padding length for reconf chunk

CVSS v3 score is not provided

This issue was introduced by commit cc16f00 ("sctp: add support for
generating stream reconf ssn reset request chunk") at 4.11-rc1 so 4.9
and 4.4 aren't affected by this issue. All kernels have been fixed.

Fixed status

mainline: [a2d859e3fc97e79d907761550dbc03ff1b36479c]
stable/4.14: [41f0bcc7d9eac315259d4e9fb441552f60e8ec9e]
stable/4.19: [c57fdeff69b152185fafabd37e6bfecfce51efda]
stable/5.10: [d84a69ac410f6228873d05d35120f6bdddab7fc3]
stable/5.4: [d88774539539dcbf825a25e61234f110513f5963]

CVE-2022-0264: bpf: Fix kernel address leakage in atomic fetch

CVSS v3 score is not provided

A local user who has certain privileges is able to gather kernel
internal memory addresses.
This issue was introduced by commit 38086bf ("bpf: Propagate stack
bounds to registers in atomics w/ BPF_FETCH") that was merged in
5.12-rc1-dontuse. Fixed in 5.17-rc1. so before 5.12 kernels aren't
affected this issue.

Fixed status

mainline: [7d3baf0afa3aa9102d6a521a8e4c41888bb79882]
stable/5.15: [423628125a484538111c2c6d9bb1588eb086053b]

CVE-2022-0330: drm/i915: Flush TLBs before releasing backing store

CVSS v3 score is not provided

Vulnerability in the i915 driver. Without an active IOMMU malicious
userspace can gain access (from the
code executing on the GPU) to random memory pages.

Fixed status

mainline: [7938d61591d33394a21bdd7797a245b65428f44c]

CVE-2021-22600: net/packet: rx_owner_map depends on pg_vec

CVSS v3 score: NIST: not provided
CVSS v3 score: CNA: 6.6 medium

A double free bug in packet_set_ring() in net/packet/af_packet.c can
be exploited by a local user through crafted syscalls to escalate
privileges or deny service.
This issue was introduced by commit 61fad68 ("net/packet: tpacket_rcv:
avoid a producer race condition"). This commit was merged in 5.6.
However, it was backported to 5.4, 4.19, and 4.14 so that these
kernels are also affected but 4.4 and 4.9 are not backported.

Fixed status

mainline: [ec6af094ea28f0f2dda1a6a33b14cd57e36a9755]
stable/4.14: [a829ff7c8ec494eca028824628a964cde543dc76]
stable/4.19: [18c73170de6719491f79b04c727ea8314c246b03]
stable/5.10: [7da349f07e457cad135df0920a3f670e423fb5e9]
stable/5.15: [feb116a0ecc5625d6532c616d9a10ef4ef81514b]
stable/5.4: [027a13973dadb64ef4f19db56c9b619ee82c3375]

* Updated CVEs

CVE-2022-0185: vfs: fs_context: fix up param length parsing in
legacy_parse_param

This issue was affected from 5.8 or later kernels so that all stable
kernels have been fixed.

Fixed status

mainline: [722d94847de29310e8aa03fcbdb41fc92c521756]
stable/5.10: [eadde287a62e66b2f9e62d007c59a8f50d4b8413]
stable/5.15: [e192ccc17ecf3e78a1c6fb81badf9b50bd791115]
stable/5.16: [8b1530a3772ae5b49c6d8d171fd3146bb947430f]
stable/5.4: [bd2aed0464ae3d6e83ce064cd91fc1a7fec48826]

CVE-2021-43976: mwifiex_usb: Fix skb_over_panic in mwifiex_usb_recv

An attacker who can connect a crafted USB device to cause a DoS by this issue.
Fixed in the mainline.

Fixed status

mainline: [04d80663f67ccef893061b49ec8a42ff7045ae84]

CVE-2021-45469: f2fs: fix to do sanity check on last xattr entry in
__f2fs_setxattr()

Fixed in the mainline this week. For 4.4, commit ba38c27 ("f2fs:
enhance lookup xattr") and commit 2777e65 ("f2fs: fix to avoid
accessing xattr across the boundary"), and more patches are also
needed.

Fixed status

mainline: [645a3c40ca3d40cc32b4b5972bf2620f2eb5dba6]
stable/4.14: [88dedecc24763c2e0bc1e8eeb35f9f2cd785a7e5]
stable/4.19: [f9dfa44be0fb5e8426183a70f69a246cf5827f49]
stable/5.10: [fffb6581a23add416239dfcf7e7f3980c6b913da]
stable/5.15: [a8a9d753edd7f71e6a2edaa580d8182530b68791]
stable/5.4: [b0406b5ef4e2c4fb21d9e7d5c36a0453b4279e9b]

CVE-2021-4204: eBPF Improper Input Validation Vulnerability

The mainline kernel was fixed this week.

A local attacker can escalate privileges via this bug.
This bug is affecting the 5.8 or later kernel. The commit 457f4436
("bpf: Implement BPF ring buffer and verifier support for it")
introduced this issue.

To mitigate this issue, set kernel.unprivileged_bpf_disabled to 1.


Fixed status

mainline: [be80a1d3f9dbe5aee79a325964f7037fe2d92f30,
d400a6cf1c8a57cdf10f35220ead3284320d85ff,
  6788ab23508bddb0a9d88e104284922cb2c22b77,
64620e0a1e712a778095bd35cbb277dc2259281f,
  a672b2e36a648afb04ad3bda93b6bda947a479a5,
722e4db3ae0d52b2e3801280afbe19cf2d188e91,
  37c8d4807d1b8b521b30310dce97f6695dc2c2c6]


Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries in this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 7 new CVEs.

* New CVEs

CVE-2021-39633: ip_gre: add validation for csum_start

CVSS v3 score is not provided

An information leak bug was found in gre_handle_offloads() which is in
net/ipv4/ip_gre.c.
This fix uses skb_checksum_start() to check data but this function was
introduced at 4.6-rc1 commit 08b64fc ("net: Store checksum result for
offloaded GSO checksums") so applying this patch requires commit
08b64fc too.

Fixed status

mainline: [1d011c4803c72f3907eccfc1ec63caefb852fcbf]
stable/4.14: [99279223a37b46dc7716ec4e0ed4b3e03f1cfa4c]
stable/4.19: [c33471daf2763c5aee2b7926202c74b75c365119]
stable/4.9: [41d5dfa408130433cc5f037ad89bed854bf936f7]
stable/5.10: [fb45459d9ddb1edd4a8b087bafe875707753cb10]
stable/5.4: [53b480e68c1c2c778b620cc7f45a2ba5dff518ca]

CVE-2021-39634: epoll: do not insert into poll queues until all sanity
checks are done

CVSS v3 score is not provided

A local attacker could gain his privilege by abusing this bug. All
stable kernels and the mainline kernels have already been fixed.

Fixed status

mainline: [f8d4f44df056c5b504b0d49683fb7279218fd207]
stable/4.14: [23fb662b13e4f75688123e1d16aa7116f602db32]
stable/4.19: [3e3bbc4d23eeb90bf282e98c7dfeca7702df3169]
stable/4.4: [ea984dfe0e7978cd294eb6a640ac27fa1834ac8d]
stable/4.9: [a16d314ccda2efa6173f2ae7d386f99c61d273a4]
stable/5.4: [8993da3d4d3a7ae721e9dafa140ba64c0e632a50]

CVE-2021-4155: xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP
just like fallocate

CVSS v3 score is not provided

An information leak bug was found in xfs by using XFS_IOC_ALLOCSP
operation via ioctl.
All stable kernels and the mainline kernel have been fixed.

Fixed status

mainline: [983d8e60f50806f90534cc5373d0ce867e5aaf79]
stable/4.14: [2af625c89bf4a41c8a0bc818d8cf30a291f216ca]
stable/4.19: [1c3564fca0e7b8c9e96245a2cb35e198b036ee9a]
stable/4.4: [56adcda55aa213e106224ff3d18ef4625e25f52b]
stable/4.9: [19e3d9a26f28f432ae89acec22ec47b2a72a502c]
stable/5.10: [16d8568378f9ee2d1e69216d39961aa72710209f]
stable/5.15: [b0e72ba9e520b95346e68800afff0db65e766ca8]
stable/5.4: [102af6edfd3a372db6e229177762a91f552e5f5e]

CVE-2021-4202: Race condition in nci_request() leads to use after free
while the device is getting removed

CVSS v3 score is not provided

Race condition bug in NFC device. A local attacker could do privilege
escalation via this bug. However, no CIP member enabled
CONFIG_NFC_NCI. All stable kernels and the mainline kernel have been
fixed.

Fixed status

mainline: [86cdf8e38792545161dbe3350a7eced558ba4d15,
48b71a9e66c2eab60564b1b1c85f4928ed04e406]
stable/4.14: [6e2944d8bbc58682691438b57620491b5a4b7cfb,
8937bfa226d4001875d8539ae811fce6d3df4c96]
stable/4.19: [62be2b1e7914b7340281f09412a7bbb62e6c8b67,
2350cffd71e74bf81dedc989fdec12aebe89a4a5]
stable/4.4: [6dc051117ba0e1dac9324593ff2c1c520f67ad21,
6f195c7691089c56cd1553a9ca3ca22790c0fe07]
stable/4.9: [4a59a3681158a182557c75bacd00d184f9b2a8f5,
57c076e64ab55adf556cc515914564d61979f7c2]
stable/5.10: [cb14b196d991c864ed2d1b6e79d68a7ce38e6538,
34e54703fb0fdbfc0a3cfc065d71e9a8353d3ac9]
stable/5.15: [96a209038a99a379444ea3ef9ae823e685ba60e7,
ed35e950d8e5658db5b45526be2c4e3778746909]
stable/5.4: [e418bb556ff801e11592851fd465415757a2ef68,
eff32973ecc3838d9a6dc5174bd24d76b120843c]

CVE-2021-4203: af_unix: fix races in sk_peer_pid and sk_peer_cred accesses

CVSS v3 score is not provided

A local attacker can cause a system crash or internal kernel
information leak via this issue.
All stable kernels and the mainline kernel have been fixed.

Fixed status

mainline: [35306eb23814444bd4021f8a1c3047d3cb0c8b2b]
stable/4.14: [9d76f723256d68eea16f0c563fc80b3c14258634]
stable/4.19: [0512a9aede6e4417c4fa6e0042a7ca8bc7e06b86]
stable/4.4: [323f0968a81b082cf02ef15b447cd35e4328385e]
stable/4.9: [09818f629bafbe20e24bac919019853ea3ac5ca4]
stable/5.10: [3db53827a0e9130d9e2cbe3c3b5bca601caa4c74]
stable/5.4: [0fcfaa8ed9d1dcbe377b202a1b3cdfd4e566114c]

CVE-2021-4204: eBPF Improper Input Validation Vulnerability

CVSS v3 score is not provided

A local attacker can escalate privileges via this bug.
This bug is affecting the 5.8 or later kernel. The commit 457f4436
("bpf: Implement BPF ring buffer and verifier support for it")
introduced this issue.

To mitigate this issue, set kernel.unprivileged_bpf_disabled to 1.

Fixed status

Not fixed yet.

CVE-2021-46283: netfilter: nf_tables: initialize set before expression setup

CVSS v3 score is not provided

A local attacker to cause a local DoS attack by this bug.
This issue was introduced at commit 65038428 (netfilter: nf_tables:
allow to specify stateful expression in set definition) which was
merged at 5.7-rc1. Before 5.7 kernels aren't affected by this issue.

Fixed status

mainline: [ad9f151e560b016b6ad3280b48e42fa11e1a5440]
stable/5.10: [36983fc2f87ea3b74a33bf460c9ee7329735b7b5]

* Updated CVEs

CVE-2021-45095: phonet: refcount leak in pep_sock_accep

Stable kernels are updated. So stable kernels and the mainline kernel
have been fixed.

Fixed status

mainline: [bcd0f93353326954817a4f9fa55ec57fb38acbb0]
stable/4.14: [a025db5658d5c10019ffed0d59026da8172897b6]
stable/4.19: [4dece2760af408ad91d6e43afc485d20386c2885]
stable/4.4: [172b3f506c24a61805b3910b9acfe7159d980b9b]
stable/4.9: [3bae29ecb2909c46309671090311230239f1bdd7]
stable/5.10: [4f260ea5537db35d2eeec9bca78a74713078a544]
stable/5.15: [9ca97a693aa8b86e8424f0047198ea3ab997d50f]
stable/5.4: [2a6a811a45fde5acb805ead4d1e942be3875b302]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries in this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported six new CVEs.

* New CVEs

CVE-2021-45469: f2fs: fix to do sanity check on last xattr entry in
__f2fs_setxattr()

CVSS v3 score is not provided

OOB access bug in  __f2fs_setxattr().

Although it is fixed in stable trees, the patch isn't merged in the
mainline yet at 2021/12/30. The commit 5598b24 ("f2fs: fix to do
sanity check on last xattr entry in __f2fs_setxattr()") is in
https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=dev&id=5598b24efaf4892741c798b425d543e4bed357a1
but not in the mainline.

Fixed status

stable/4.19: [f9dfa44be0fb5e8426183a70f69a246cf5827f49]
stable/5.10: [fffb6581a23add416239dfcf7e7f3980c6b913da]

CVE-2021-4154: cgroup: verify that source is a string

CVSS v3 score is not provided

UAF bug was found in cgroup v1 code which was introduced by commit
8d2451f4994f ("cgroup1: switch to option-by-option parsing"). This
commit was merged at 5.1-rc1. This bug will cause local DoS.
The mainline and stable kernels are fixed.

Fixed status

mainline: [3b0462726e7ef281c35a7a4ae33e93ee2bc9975b]
stable/5.10: [811763e3beb6c922d168e9f509ec593e9240842e]
stable/5.4: [c17363ccd620c1a57ede00d5c777f0b8624debe6]

CVE-2021-4157: pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()

CVSS v3 score is not provided

This OOB write bug was introduced by commit d67ae82 ("pnfs/flexfiles:
Add the FlexFile Layout Driver") which was merged at 4.0-rc1. A local
attacker could do system crash or escalate privileges on the system.
The mainline and stable kernels are fixed.

Fixed status

mainline: [ed34695e15aba74f45247f1ee2cf7e09d449f925]
stable/4.14: [40286f0852d2ecfa713438199557c706dc6a8db3]
stable/4.19: [f27638a92f77d8107efbaf48a0d3bfa24da8cdad]
stable/4.4: [0c5ccd5e2a2e291774618c24c459fa397fd1b7da]
stable/4.9: [c621f3654bba1096ec913d0942e27bd032bb6090]
stable/5.10: [1fbea60ea658ab887fb899532d783732b04e53e6]
stable/5.4: [89862bd77e9cf511628eb7a97fe7f8d246192eec]

CVE-2021-45480: rds: memory leak in __rds_conn_create()

CVSS v3 score is not provided

This bug was introdued by commit aced3ce57cd3 ("RDS tcp loopback
connection can hang") which was merged at 5.13-rc4.

Fixed status

mainline: [5f9562ebe710c307adc5f666bf1a2162ee7977c0]
stable/4.19: [1ed173726c1a0082e9d77c7d5a85411e85bdd983]
stable/5.10: [74dc97dfb276542f12746d706abef63364d816bb]
stable/5.15: [68014890e4382ff9192e1357be39b7d0455665fa]
stable/5.4: [166f0adf7e7525c87595ceadb21a91e2a9519a1e]

CVE-2021-45485: ipv6: use prandom_u32() for ID generation

CVSS v3 score is not provided

CVE-2021-45485 and CVE-2021-45486 are related issue. A bug fixed
commit 62f20e0 is a complement to aa6dd21 ("inet: use bigger hash
table for IP ID generation") which is CVE-2021-45486.
The mainline and stable kernels are fixed.

Fixed status

mainline: [62f20e068ccc50d6ab66fdb72ba90da2b9418c99]
stable/4.14: [4b55d7b3106a410cdab4ea60f5e55ca0668c6a09]
stable/4.19: [f0be58ec9931907e980cf21737e51d369808eb95]
stable/4.4: [c43fa9ee9f1de295474a28903607f84209d7e611]
stable/4.9: [3fc852e59c0a48094cc0f1b2e866604986bbcd31]
stable/5.10: [8f939b79579715b195dc3ad36669707fce6853ee]
stable/5.4: [ccde03a6a0fbdc3c0ba81930e629b8b14974cce4]

CVE-2021-45486: inet: use bigger hash table for IP ID generation

CVE-2021-45485 and CVE-2021-45486 are related issue. This CVE fixes
commit 73f156a ("inetpeer: get rid of ip_id_count").  The commit
73f156a was merged at 3.16-rc1.
The mainline and stable kernels are fixed.

Fixed status

mainline: [aa6dd211e4b1dde9d5dc25d699d35f789ae7eeba]
stable/4.14: [3ba51ed2c3ac36aa947d0b250d318de6ed7cf552]
stable/4.19: [7f7e23df8509e072593200400a4b094cc44376d2]
stable/4.4: [8fb8c138b5d69128964e54e1b5ee49fc395f011c]
stable/4.9: [0889f0a3bb2de535f48424491d8f9d5954a3cde8]
stable/5.10: [a273c27d7255fc527023edeb528386d1b64bedf5]
stable/5.4: [fee81285bd09ec2080ce2cbb5063aad0e58eb272]

* Updated CVEs

no updated CVEs.

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,

-- 
/**
* Masami Ichikawa
* personal: masami256@gmail.com
* fedora project: masami@fedoraproject.org
*/

New CVE entries in this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 12 new CVEs. Some of them aren't fixed yet.

* New CVEs

CVE-2021-44733: tee: handle lookup of shm with reference count 0

CVSS v3 score is not provided

UFA bug in TEE subsystem. This bug will cause a local attacker could
do privilege escalation.
Patch is being reviewed. This bug was introduced by 967c9cca2cc5
("tee: generic TEE subsystem") which has been merged since 4.12-rc1.
The tee driver was merged since 4.12-rc1 so before this version aren't affected.

Fixed status

not fixed yet.

CVE-2021-45095: phonet: refcount leak in pep_sock_accep

CVSS v3 score is not provided

This issue is a refcount leak in pep_sock_accep(). It's been fixed in
the mainline.

Fixed status

mainline: [bcd0f93353326954817a4f9fa55ec57fb38acbb0]

CVE-2021-45100: ksmbd: disable SMB2_GLOBAL_CAP_ENCRYPTION for SMB 3.1.1

CVSS v3 score is not provided

The ksmbd server sometimes communicates in cleartext even through
encryption is enabled.
A patch was acked but not merged into mainline yet as of 2021/12/17.
The fs/ksmbd was moved/renamed from fs/cifs since 5.15-rc1 by commit
1a93084 ("ksmbd: move fs/cifsd to fs/ksmbd").

The patch modifies init_smb3_11_server() and decode_compress_ctxt().
However these functions aren't found in stable/5.10, stable/4.19, and
stable/4.4 trees.

Fixed status

not fixed yet.

CVE-2021-28711: Rogue backends can cause DoS of guests via high
frequency events (blkfront)
CVE-2021-28712: Rogue backends can cause DoS of guests via high
frequency events (netfront)
CVE-2021-28713: Rogue backends can cause DoS of guests via high
frequency events (hvc_xen(console))

CVSS v3 scores are not provided

CVE-2021-28711, CVE-2021-28712, and CVE-2021-28713 are Xen subsystem
bugs that are related to XSA-319.
Each backend is assigned to a CVE and has its own patch.

- blkfront: CVE-2021-28711
- netfront: CVE-2021-28712
- hvc_xen(console): CVE-2021-28713

Above CVEs are fixed in mainline and all stable kernels.

Fixed status

CVE-2021-28711
mainline: [0fd08a34e8e3b67ec9bd8287ac0facf8374b844a]
stable/4.14: [5ac3b68b79c9e964dd6f3cf80ff825518e502b79]
stable/4.19: [269d7124bcfad2558d2329d0fe603ca20b20d3f4]
stable/4.4: [3e04b9e6aa7d77287e70a400be83060d2b7b2cfe]
stable/4.9: [25898389795bd85d8e1520c0c75c3ad906c17da7]
stable/5.10: [8ac3b6ee7c9ff2df7c99624bb1235e2e55623825]
stable/5.15: [caf9b51829a50590b84daea924a0fd62d32bc952]
stable/5.4: [4ed9f5c511ce95cb8db05ff82026ea901f45fd76]

CVE-2021-28712
mainline: [b27d47950e481f292c0a5ad57357edb9d95d03ba]
stable/4.14: [4bf81386e3d6e5083c93d51eff70260bcec091bb]
stable/4.19: [3559ca594f15fcd23ed10c0056d40d71e5dab8e5]
stable/4.4: [81900aa7d7a130dec4c55b68875e30fb8c9effec]
stable/4.9: [99120c8230fdd5e8b72a6e4162db9e1c0a61954a]
stable/5.10: [d31b3379179d64724d3bbfa87bd4ada94e3237de]
stable/5.15: [a29c8b5226eda52e6d6ff151d9343558ea3ad451]
stable/5.4: [3e68d099f09c260a7dee28b99af02fe6977a9e66]

CVE-2021-28713
mainline: [fe415186b43df0db1f17fa3a46275fd92107fe71]
stable/4.14: [68b78f976ca47d52c03c41eded207a312e46b934]
stable/4.19: [57e46acb3b48ea4e8efb1e1bea2e89e0c6cc43e2]
stable/4.4: [c7eaa5082bccfc00dfdb500ac6cc86d6f24ca027]
stable/4.9: [728389c21176b2095fa58e858d5ef1d2f2aac429]
stable/5.10: [8fa3a370cc2af858a9ba662ca4f2bd0917550563]
stable/5.15: [153d1ea3272209fc970116f09051002d14422cde]
stable/5.4: [560e64413b4a6d9bd6630e350d5f2e6a05f6ffe3]

CVE-2021-28714, CVE-2021-28715: Guest can force Linux netback driver
to hog large amounts of kernel memory

CVSS v3 scores are not provided

CVE-2021-28714 and CVE-2021-28715 are Xen subsystem bugs that are
related to XSA-392.
These CVEs are fixed in mainline and all stable kernels.

Fixed status

CVE-2021-28714
mainline: [6032046ec4b70176d247a71836186d47b25d1684]
stable/4.14: [eae85b8c6e17d3e3888d9159205390e8dbcff6a8]
stable/4.19: [1de7644eac41981817fb66b74e0f82ca4477dc9d]
stable/4.9: [1f66dc775092e5a353e0155fc3aca5dabce77c63]
stable/5.10: [525875c410df5d876b9615c44885ca7640aed6f2]
stable/5.15: [88449dbe6203c3a91cf1c39ea3032ad61a297bd7]
stable/5.4: [8bfcd0385211044627f93d170991da1ae5937245]

CVE-2021-28715
mainline: [be81992f9086b230623ae3ebbc85ecee4d00a3d3
stable/4.14: [9bebb2eedf679b3be4acaa20efda97f32c999d74]
stable/4.19: [c9f17e92917fd5786be872626a3928979ecc4c39]
stable/4.4: [0928efb09178e01d3dc8e8849aa1c807436c3c37]
stable/4.9: [b4226b387436315e7f57465c15335f4f4b5b075d]
stable/5.10: [88f20cccbeec9a5e83621df5cc2453b5081454dc]
stable/5.15: [bd926d189210cd1d5b4e618e45898053be6b4b3b]
stable/5.4: [0d99b3c6bd39a0a023e972d8f912fd47698bbbb8]

CVE-2021-4135: netdevsim: Zero-initialize memory for new map''s value
in function nsim_bpf_map_alloc

CVSS v3 score is not provided

This bug was introduced in 4.16-rc1 commit 395cacb5f1a0 ("netdevsim:
bpf: support fake map offload") so before this kernel was not
affected. This bug has been fixed in mainline since 5.16-rc6.

Fixed status

mainline: [481221775d53d6215a6e5e9ce1cce6d2b4ab9a46]
stable/4.19: [d861443c4dc88650eed113310d933bd593d37b23]
stable/5.10: [1a34fb9e2bf3029f7c0882069d67ff69cbd645d8]
stable/5.15: [27358aa81a7d60e6bd36f0bb1db65cd084c2cad0]
stable/5.4: [699e794c12a3cd79045ff135bc87a53b97024e43]

CVE-2021-4148: Improper implementation of block_invalidatepage()
allows users to crash the kernel

CVSS v3 score is not provided

This issue causes a local user can do a DoS attack to the system. The
route cause has been analyzed but not fixed yet.

Fixed status

Not fixed yet.

CVE-2021-4149: Improper lock operation in btrfs

CVSS v3 score is not provided

There is a deadlock problem in fs/btrfs/extent-tree.c. This problem
causes a local attacker can do a DoS attack to the system.
The patch specifies the vulnerable kernel version is 5.4 or later.
stable/4.4, stable/4.9, and buf value is not locked in
btrfs_init_new_buffer(). However, stable/4.19 takes a lock in
btrfs_init_new_buffer()
(https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/fs/btrfs/extent-tree.c?h=linux-4.19.y#n8145)
so it seems 4.19 has same issue.

Fixed status

mainline: [19ea40dddf1833db868533958ca066f368862211]
stable/5.10: [206868a5b6c14adc4098dd3210a2f7510d97a670]
stable/5.4: [005a07c9acd6cf8a40555884f0650dfd4ec23fbe]

CVE-2021-4150: Block subsystem mishandles reference counts

CVSS v3 score is not provided

This fix added a return statement in out_put label to not go through
the out_put_disk label. The out_put_disk label was added by commit
9d3b881 ("block: change the refcounting for partitions") since
5.15-rc1. So it looks like before 5.15 kernel doesn't affect this
issue.

Fixed status

mainline: [9fbfabfda25d8774c5a08634fdd2da000a924890]


* Updated CVEs

CVE-2021-3752: UAF in bluetooth

The mainline and stable kernels have been fixed.

Fixed status

mainline: [1bff51ea59a9afb67d2dd78518ab0582a54a472c]
stable/4.14: [cd76d797a690969186c0c100e8a301c4480e4e7f]
stable/4.19: [72bb30165337b7bce77578ad151fbfab6c8e693c]
stable/4.4: [88aed7d67197d155260f09078835290adfa1debd]
stable/4.9: [d19ea7da0eeb61be28ec05d8b8bddec3dde71610]
stable/5.10: [c10465f6d6208db2e45a6dac1db312b9589b2583]
stable/5.15: [7e22e4db95b04f09adcce18c75d27cbca8f53b99]
stable/5.4: [67bd269a84ce29dfc543c1683a2553b4169f9a55]

CVE-2021-4028: use-after-free in RDMA listen()

Fixed in mainline and stable kernels. This bug was introduced since
5.10-rc1 so before this version wasn't affected.

Fixed status

mainline: [bc0bdc5afaa740d782fbf936aaeebd65e5c2921d]
stable/5.10: [0a16c9751e0f1de96f08643216cf1f19e8a5a787]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,

New CVE entries in this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported ten new CVEs and two of them aren't fixed in the
mainline yet.

* New CVEs

CVE-2021-0961: In quota_proc_write of xt_quota2.c, there is a possible
way to read kernel memory due to uninitialized data

CVSS v3 score is not provided

This bug is fixed in Android kernel. There is three commits to fix this bug.

https://android.googlesource.com/kernel/common/+/e113eb454e92
https://android.googlesource.com/kernel/common/+/60a4c35570d9
https://android.googlesource.com/kernel/common/+/4b05a506bda0

These commit modified net/netfilter/xt_quota2.c which is Android
specific source. So this CVE is Android specific bug. The mainline and
stable kernels aren't affected.

Fixed status

The mainline and stable kernels aren't affected.

CVE-2021-39648: usb: gadget: configfs: Fix use-after-free issue with udc_name

CVSS v3 score is not provided

4.4 kernel gadget_dev_desc_UDC_show() is bit different from later
kernel versions. However, it looks 4.4 also has same issue.

Fixed status

mainline: [64e6bbfff52db4bf6785fab9cffab850b2de6870]
stable/4.14: [6766064c794afeacc29b21fc09ea4dbe3cae1af3]
stable/4.19: [83b74059fdf1c4fa6ed261725e6f301552ad23f7]
stable/4.9: [225330e682fa9aaa152287b49dea1ce50fbe0a92]
stable/5.10: [a4b202cba3ab1a7a8b1ca92603931fba5e2032c3]
stable/5.4: [bcffe2de9dde74174805d5f56a990353e33b8072]

CVE-2021-39656: configfs: fix a use-after-free in __configfs_open_file

Bug introduced commit b0841ee was merged in 5.3-rc8. This commit isn't
backported to 4.4 so 4.4 isn't affected.

Fixed status

mainline: [14fbbc8297728e880070f7b077b3301a8c698ef9]
stable/4.14: [4769013f841ed35bdce3b11b64349d0c166ee0a2]
stable/4.19: [9123463620132ada85caf5dc664b168f480b0cc4]
stable/4.9: [6f5c47f0faed69f2e78e733fb18261854979e79f]
stable/5.10: [109720342efd6ace3d2e8f34a25ea65036bb1d3b]
stable/5.4: [73aa6f93e1e980f392b3da4fee830b0e0a4a40ff]

CVE-2021-39657: scsi: ufs: Correct the LUN used in
eh_device_reset_handler() callback

CVSS v3 score is not provided

Bug was fixed in 5.11-rc4. so mainline and stable kernels are already fixed.

Fixed status

mainline: [35fc4cd34426c242ab015ef280853b7bff101f48]
stable/4.14: [30f2a89f9481f851bc68e51a1e7114392b052231]
stable/4.19: [b397fcae2207963747c6f947ef4d06575553eaef]
stable/4.4: [a4cdbf4805bfed8f39e6b25f113588064d9a6ac5]
stable/4.9: [7bbac19e604b2443c93f01c3259734d53f776dbf]
stable/5.10: [2536194bb3b099cc9a9037009b86e7ccfb81461c]
stable/5.4: [97853a7eae80a695a18ce432524eaa7432199a41]

CVE-2021-4090: kernel: Overflow of bmval[bmlen-1] in
nfsd4_decode_bitmap function

CVSS v3 score is not provided

OOB write bug in nsfd. This bug was introduced by commit d1c263a
("NFSD: Replace READ* macros in nfsd4_decode_fattr()
") since 5.11-rc1 and fixed in 5.16-rc2. Before 5.11 kernels aren't
affected this issue.

Fixed status

mainline: [c0019b7db1d7ac62c711cda6b357a659d46428fe]
stable/5.15: [10c22d9519f3f5939de61a1500aa3a926b778d3a]

CVE-2021-4093: KVM: SVM: out-of-bounds read/write in sev_es_string_io

CVSS v3 score is not provided

OOB read/write bug in AMD SVM mode. This bug was introduced by commit
7ed9abf ("KVM: SVM: Support string IO operations for an SEV-ES guest")
which is merged since 5.11-rc1. Before 5.11 kernels aren't affected
this issue.

Fixed status

mainline: [95e16b4792b0429f1933872f743410f00e590c55]

CVE-2021-4095: KVM: NULL pointer dereference in kvm_dirty_ring_get()
in virt/kvm/dirty_ring.c

CVSS v3 score is not provided

This issues was introduced by commit 629b534 ("KVM: x86/xen: update
wallclock region") which is merged in 5.12-rc1-dontuse. Before
5.12-rc1-dontuse kernels aren't affectd this issue.
Patch is being reviewed.

Fixed status

Not fixed yet.

CVE-2021-3864: descendant's dumpable setting with certain SUID binaries

CVSS v3 score is not provided

This bug is able to write coredump file anyware. However, abusing this
bug, such as arbitrary code execution is required some program. The
PoC(https://www.openwall.com/lists/oss-security/2021/10/20/2).
There is two mitigation techniques are suggested. So, users follow
these mitigation technique is recommended.

Fixed status

Not fixed yet.

CVE-2021-4083: fget: check that the fd still exists after getting a ref to it

CVSS v3 score is not provided

UAF bug in fs/file.c it causes system crash, priviledge escalation.
The mainline and all stable kernels are aready fixed.

Fixed status

mainline: [054aa8d439b9185d4f5eb9a90282d1ce74772969]
stable/4.14: [98548c3a9882a1ea993a103be7c1b499f3b88202]
stable/4.19: [8bf31f9d9395b71af3ed33166a057cd3ec0c59da]
stable/4.4: [8afa4ef999191477506b396fae518338b8996fec]
stable/4.9: [a043f5a600052dc93bc3d7a6a2c1592b6ee77482]
stable/5.10: [4baba6ba56eb91a735a027f783cc4b9276b48d5b]
stable/5.15: [6fe4eadd54da3040cf6f6579ae157ae1395dc0f8]
stable/5.4: [03d4462ba3bc8f830d9807e3c3fde54fad06e2e2]

CVE-2021-39685: Linux Kernel USB Gadget buffer overflow

CVSS v3 score is not provided

Buffer overflow bug in USB gadget devices. An attacker can read and/or
write up to 65k of kernel memory.
It already fixed in mainline and all stable kernels.

Fixed status

mainline: [153a2d7e3350cc89d406ba2d35be8793a64c2038,
86ebbc11bb3f60908a51f3e41a17e3f477c2eaa3]
stable/4.14: [e7c8afee149134b438df153b09af7fd928a8bc24,
d8cd524ae4ec788011a14be17503fc224f260fe3]
stable/4.19: [13e45e7a262dd96e8161823314679543048709b9,
32de5efd483db68f12233fbf63743a2d92f20ae4]
stable/4.4: [93cd7100fe471c5f76fb942358de4ed70dbcaf35,
af21211c327c4703c7681fa7286c4d660682e413]
stable/4.9: [d2ca6859ea96c6d4c6ad3d6873a308a004882419,
e4de8ca013f06ad4a0bf40420a291c23990e4131]
stable/5.10: [7193ad3e50e596ac2192531c58ba83b9e6d2444b,
e4de8ca013f06ad4a0bf40420a291c23990e4131]
stable/5.15: [36dfdf11af49d3c009c711fb16f5c6e7a274505d,
6eea4ace62fa6414432692ee44f0c0a3d541d97a]
stable/5.4: [fd6de5a0cd42fc43810bd74ad129d98ab962ec6b,
9978777c5409d6c856cac1adf5930e3c84f057be]

* Updated CVEs

no updated CVEs.

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries in this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported three new CVEs.

* New CVEs

CVE-2021-1048: fix regression in "epoll: Keep a reference on files
added to the check list"

CVSS v3 score is not provided

The bug in ep_loop_check_proc(), which mishandled  reference of file.
This bug has been fixed in 5.9-rc4 so 5.9 or later kernel aren't
affected.

Fixed status

mainline: [77f4689de17c0887775bb77896f4cc11a39bf848]
stable/4.14: [c5c6e00f6cc5d3ed0d6464b14e33f2f5c8505888]
stable/4.19: [37d933e8b41b83bb8278815e366aec5a542b7e31]
stable/4.4: [6504c100804870911f074fd67f280756b6805958]
stable/4.9: [8238ee93a30a5ff6fc75751e122a28e0d92f3e12]
stable/5.4: [88405cf0f2bd771670b76c42b169527ff86048da]

CVE-2021-39636: "no details"

CVSS v3 score is not provided

There is no vulnerability details yet. However, there is five patches
are addressed so the bug is in the netfilter module.

f32815d ("xtables: add xt_match, xt_target and data copy_to_user
functions"): merged in 4.11-rc1
f77bc5b ("iptables: use match, target and data copy_to_user helpers"):
merged in 4.11-rc1
e47ddb2 ("ip6tables: use match, target and data copy_to_user
helpers"): merged in 4.11-rc1
ec23189 ("xtables: extend matches and targets with .usersize"): merged
in 4.11-rc1
1e98ffe ("netfilter: x_tables: fix pointer leaks to userspace"):
merged in 4.16-rc1. This fixes commit ec23189 ("xtables: extend
matches and targets with .usersize") that was merged in 4.11-rc1.

Fixed status

mainline: [f32815d21d4d8287336fb9cef4d2d9e0866214c2,
f77bc5b23fb1af51fc0faa8a479dea8969eb5079,
  e47ddb2c4691fd2bd8d25745ecb6848408899757,
ec23189049651b16dc2ffab35a4371dc1f491aca,
  1e98ffea5a8935ec040ab72299e349cb44b8defd]
stable/4.14: [f32815d21d4d8287336fb9cef4d2d9e0866214c2,
f77bc5b23fb1af51fc0faa8a479dea8969eb5079,
  e47ddb2c4691fd2bd8d25745ecb6848408899757,
ec23189049651b16dc2ffab35a4371dc1f491aca,
  ad10785a706e63ff155fc97860cdcc5e3bc5992d]

CVE-2018-25020: bpf: fix truncated jump targets on heavy expansions

CVSS v3 score is not provided

Fixed status

The BPF subsystem in the kernel through 4.17-rc7 has overflow bug.

mainline: [050fad7c4534c13c8eb1d9c2ba66012e014773cb]

* Updated CVEs

CVE-2021-4037: kernel: security regression for CVE-2018-13405

The commit 01ea173 ("fix up non-directory creation in SGID
directories") has been merged since 5.12-rc1-dontuse so after this
version aren't affected.

Fixed status

mainline: [01ea173e103edd5ec41acec65b9261b87e123fc2]

CVE-2021-4002: hugetlbfs: flush TLBs correctly after huge_pmd_unshare

stable 4.14, 4.4 and 4.9 kernels are fixed in this week.

Fixed status

mainline: [a4a118f2eead1d6c49e00765de89878288d4b890]
stable/4.14: [7bf1f5cb5150b1a53f6ccaadc0bc77f8f33206c8]
stable/4.19: [b0313bc7f5fbb6beee327af39d818ffdc921821a]
stable/4.4: [8a8ae093b52ba76b650b493848d67e7b526c8751]
stable/4.9: [8e80bf5d001594b037de04fb4fe89f34cfbcb3ba]
stable/5.10: [40bc831ab5f630431010d1ff867390b07418a7ee]
stable/5.15: [556d59293a2a94863797a7a50890992aa5e8db16]
stable/5.4: [201340ca4eb748c52062c5e938826ddfbe313088]

CVE-2021-43975: atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait

stable 4.19, 5.10, 5,15, and 5.4 kernels are fixed in this week.

Fixed status

mainline: [b922f622592af76b57cbc566eaeccda0b31a3496]
stable/4.19: [0275fcd9b54f0364f66f2f3f6a0f3748648f3d35]
stable/5.10: [2c514d25003ac89bb7716bb4402918ccb141f8f5]
stable/5.15: [cec49b6dfdb0b9fefd0f17c32014223f73ee2605]
stable/5.4: [89d15a2e40d7edaaa16da2763b349dd7b056cc09]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries in this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 5 new CVEs.

* New CVEs

CVE-2021-4002: hugetlbfs: flush TLBs correctly after huge_pmd_unshare

It's already been fixed in the mainline. This bug was introduced since
3.6-rc1 so that all stable kernels will be affected by this
vulnerability.

CVSS v3 score is not provided

Fixed status

mainline: [a4a118f2eead1d6c49e00765de89878288d4b890]
stable/5.10: [40bc831ab5f630431010d1ff867390b07418a7ee]
stable/5.15: [556d59293a2a94863797a7a50890992aa5e8db16]
stable/5.4: [201340ca4eb748c52062c5e938826ddfbe313088]

CVE-2021-4028: use-after-free in RDMA listen()

CVSS v3 score is not provided

A local attacker can escalate privileges on the system by using this ufa bug.

Fixed status

Not fixed yet.

CVE-2021-4023: Improper IO-uring request cancellation operation allows
local users to cause a crash

According to the red hat bugzilla #2026484, it was fixed by commit
713b982 ("io-wq: fix cancellation on create-worker failure"). This bug
was introduced and fixed in 5.15-rc1. Before 5.15 kernels aren't
affected by this issue.

CVSS v3 score is not provided

Fixed status

mainline: [713b9825a4c47897f66ad69409581e7734a8728e]

CVE-2021-4032: kvm: mishandling of memory error during VCPU
construction can lead to DoS

CVSS v3 score is not provided

According to the suce bugzilla, it was fixed by f7d8a19("Revert "KVM:
x86: Open code necessary bits of kvm_lapic_set_base() at vCPU
RESET""). This bug was introduced in 5.15-rc1 and fixed in 5.15-rc7.
so before 5.15 kernels aren't affected by this issue.

Fixed status

mainline: [f7d8a19f9a056a05c5c509fa65af472a322abfee]

CVE-2021-4037: kernel: security regression for CVE-2018-13405

CVSS v3 score is not provided

According to the redhat bugzilla #2027239, patch for CVE-2018-13405
isn't sufficient when fs is XFS. It looks commit 01ea173("xfs: fix up
non-directory creation in SGID directories") is fixed commit. This
commit was merged in 5.12-rc1-dontuse. The mainline and stable/5.15
contains this patch but it haven't backported to other stable kernels.

Fixed status

Not yet.

* Updated CVEs

CVE-2020-27820: use-after-free in nouveau kernel module

5.10 and 5.15 were fixed this week.

Fixed status

mainline: [aff2299e0d81b26304ccc6a1ec0170e437f38efc,
abae9164a421bc4a41a3769f01ebcd1f9d955e0e,
  f55aaf63bde0d0336c3823bb3713bd4a464abbcf]
stable/5.10: [c81c90fbf5775ed1b907230eaaa766fa0e1b7cfa,
9221aff33edb627ea52a51379862f46e63e7c0c9,
  82de15ca6b5574fc0e2f54daa1de00b5b2dcf32f]
stable/5.15: [0b1a35d63995497a9186113c60a16e7ae59642c1,
4ee6807a1ad756ca151eaa4ac57c96ffbbac926f,
  c3d06f6067bf4a6bb3e988251e1b718a295bb60b]


CVE-2021-4001: bpf: Fix toctou on read-only map''s constant scalar tracking

stable/5.15 was fixed this week.

Fixed status

mainline: [353050be4c19e102178ccc05988101887c25ae53]
stable/5.15: [a5d1d3522232b4af1f5dee02d381e6fa86be8e2d]

CVE-2021-3640:

Fixed status

mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951,
e04480920d1eec9c061841399aa6f35b6f987d8b,
  734bc5ff783115aa3164f4e9dd5967ae78e0a8ab,
49d8a5606428ca0962d09050a5af81461ff90fbb,
  ba316be1b6a00db7126ed9a39f9bee434a508043,
27c24fda62b601d6f9ca5e992502578c4310876f]
stable/4.19: [c1c913f797f3d2441310182ad75b7bd855a327ff,
3719acc161d5c1ce09912cc1c9eddc2c5faa3c66,
  3f7b869c1b44108a8cbf3e4a763ddac9df548d73,
728ff4b213cb6d66505e545ab820f3de5be1662a,
  48669c81a65628ef234cbdd91b9395952c7c27fe]
stable/4.9: [9bbe312ebea40c9b586c2b07a0d0948ff418beca,
0e77f979a97d3d517fad0b51249ba6fb8ae2d365,
  2240cbbd0d710c3b07ef5380fb6a1dfaedaf980b]
stable/5.10: [4dfba42604f08a505f1a1efc69ec5207ea6243de,
f2f856b65ac4b77049c76c0e89ecd3a177e9fcd1,
  98d44b7be6f1bcfd4f824c5f8bc2b742f890879f,
c20d8c197454068da758a83e09d93683f520d681,
  a1073aad497d0d071a71f61b721966a176d50c08 ]
stable/5.14: [2c2b295af72e4e30d17556375e100ae65ac0b896,
e04480920d1eec9c061841399aa6f35b6f987d8b,
  9ebb5a7757073da64d10a12621d0cedaca3aa215,
db63399389bc3f6b0d146f8020ca243a6b700d9d,
  b657bba82ff6a007d84fd076bd73b11131726a2b]
stable/5.15: [b990c219c4c9d4993ef65ea9db73d9497e70f697,
e04480920d1eec9c061841399aa6f35b6f987d8b,
  734bc5ff783115aa3164f4e9dd5967ae78e0a8ab,
11080de0a75cba7e00c1060d60ea484615d7a3d3,
  ba316be1b6a00db7126ed9a39f9bee434a508043,
27c24fda62b601d6f9ca5e992502578c4310876f]
stable/5.4: [d416020f1a9cc5f903ae66649b2c56d9ad5256ab,
ff29fe26ab8679bc13a3f0bf5b2911535a1cfc35,
  0d563020b8a3b835afa5c902610de700808546ec,
6237a1685c28c93b6477db46fbf67b7f0a0139e6,
  37d7ae2b0578f2373674a755402ee722e96edc08]

CVE-2021-33098: Improper input validation in the Intel(R) Ethernet
ixgbe driver for Linux before version 3.17.3 may allow an
authenticated user to potentially enable denial of service via local
access

The mainline and some of stable kernels are fixed in this week. This
bug was introduced since v3.8-rc1(872844d ("ixgbe: Enable jumbo frames
support w/ SR-IOV")) and fixed in 5.13-rc4. v4.4 contains commit
872844d but this commit requires ETH_MIN_MTU value which is introduced
by commit a52ad51 ("net: deprecate eth_change_mtu, remove usage")
which doesn't exist in 4.4 tree.

Fixed status

mainline: [63e39d29b3da02e901349f6cd71159818a4737a6]
stable/4.14: [5217f9cab7dd28e9c7626cd795e51da98ecb2af4]
stable/4.19: [938ffd6d2dd78fb83b9346c9b689e2a3a6fe7174]
stable/5.10: [3cfd11506ed032446358eedf7e31b4defd819d91]
stable/5.4: [cf20c704a26eb763daf6bfb10369a4f11fef2d9a]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries in this week

[Masami Ichikawa]

[-- Attachment #1: Type: text/plain, Size: 2331 bytes --]

Hi !

It's this week's CVE report.

This week reported two new CVEs.

* New CVEs

CVE-2021-33098: Improper input validation in the Intel(R) Ethernet ixgbe
driver for Linux before version 3.17.3 may allow an authenticated user to
potentially enable denial of service via local access.

CVSS v3 score is 5.5 MEDIUM.

Intel released fixed version of driver kit. Not sure this CVE affects
mainline's source code.

Fixed status

Intel released fixed version of driver kit.

CVE-2021-4001: bpf: Fix toctou on read-only map''s constant scalar tracking

CVSS v3 score is not provided.

This bug was introduced in 5.5-rc1 and fixed in 5.16-rc2.  Patch for 5.15
is in stable-rt tree. Patch for 5.4(
https://lore.kernel.org/stable/163757721744154@kroah.com/) and 5.10(
https://lore.kernel.org/stable/1637577215186161@kroah.com/) are failed to
apply. However, this bug was introduced in 5.5-rc1 so 5.4 can be ignored?
Fixed status

mainline: [353050be4c19e102178ccc05988101887c25ae53]

* Updated CVEs

CVE-2021-3640: UAF in sco_send_frame function

5.10 and 5.15 are fixed this week.

Fixed status

mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951]
stable/5.10: [4dfba42604f08a505f1a1efc69ec5207ea6243de]
stable/5.14: [2c2b295af72e4e30d17556375e100ae65ac0b896]
stable/5.15: [b990c219c4c9d4993ef65ea9db73d9497e70f697]
stable/5.4: [d416020f1a9cc5f903ae66649b2c56d9ad5256ab]

CVE-2021-43975: atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait

The mainline kernel was fixed in 5.16-rc2.

Fixed status

mainline: [b922f622592af76b57cbc566eaeccda0b31a3496]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/html, Size: 2907 bytes --]

New CVE entries in this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported two new CVEs. They have not been fixed in the mainline yet.

* New CVEs

CVE-2021-43975: atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait

CVSS v3 score is not provided.

OOB read/write bug in aQuantia device driver code. Patch was merged
into the netdev tree on Nov 15.

Fixed status

Not fixed in the mainline yet.

CVE-2021-43976: mwifiex_usb: Fix skb_over_panic in mwifiex_usb_recv

CVSS v3 score is not provided.

Bug is in the Marvell WiFi-Ex driver code. Patch is being in reviewed
on the linux-wireless list
(https://patchwork.kernel.org/project/linux-wireless/patch/YX4CqjfRcTa6bVL+@Zekuns-MBP-16.fios-router.home/).

Fixed status

Not yet.

* Updated CVEs

CVE-2021-37159: net: hso: do not call unregister if not registered

4.4 and 4.9 have been fixed. All stable kernels are fixed.

Fixed status

mainline: [a6ecfb39ba9d7316057cea823b196b734f6b18ca]
stable/4.14: [4c0db9c4b3701c29f47bac0721e2f7d2b15d8edb]
stable/4.19: [f6cf22a1ef49f8e131f99c3f5fd80ab6b23a2d21]
stable/4.4: [cbefdf724282e6a948885f379dc92ab841c2fee0]
stable/4.9: [88b912e02d75bacbb957d817db70e6a54ea3a21c]
stable/5.10: [115e4f5b64ae8d9dd933167cafe2070aaac45849]
stable/5.13: [eeaa4b8d1e2e6f10362673d283a97dccc7275afa]
stable/5.4: [fe57d53dd91d7823f1ceef5ea8e9458a4aeb47fa]


CVE-2021-42739: media: firewire: firedtv-avc: fix a buffer overflow in
avc_ca_pmt()

stable/4.14 has been fixed.

Fixed status

stable/4.14: [8d6c05da808f8351db844b69a9d6ce7f295214bb]
stable/4.19: [53ec9dab4eb0a8140fc85760fb50effb526fe219]
stable/5.10: [d7fc85f6104259541ec136199d3bf7c8a736613d]
stable/5.14: [02a476ca886dc8155025fe99cbbad4121d029fa7]
stable/5.15: [cb667140875a3b1db92e4c50b4617a7cbf84659b]
stable/5.4: [2461f38384d50dd966e1db44fe165b1896f5df5a]

CVE-2020-27820: use-after-free in nouveau kernel module

Fixed status

Patches were merged in 5.16-rc1.

mainline: [aff2299e0d81b26304ccc6a1ec0170e437f38efc,
abae9164a421bc4a41a3769f01ebcd1f9d955e0e,
  f55aaf63bde0d0336c3823bb3713bd4a464abbcf]

CVE-2021-3640: UAF in sco_send_frame function

Patch was merged in 5.16-rc1. Patch for 4.4, 4.9, 4.14, 4.19, and 5.10
are in the stable-rc tree.

Fixed status

mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951]
stable/5.14: [2c2b295af72e4e30d17556375e100ae65ac0b896]
stable/5.4: [d416020f1a9cc5f903ae66649b2c56d9ad5256ab]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE Entries in this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 4 new CVEs.

* New CVEs

CVE-2021-43057: selinux,smack: fix subjective/objective credential use mixups

CVSS v3 score is "7.8 HIGH".

selinux and smack have UFA bug which cause a local attacker can
escalates privileges.
This bug was introduced since 5.13-rc1 so before 5.13 kernel isn't affected.
All stable kernels are fixed.

Fixed status

mainline: [a3727a8bac0a9e77c70820655fd8715523ba3db7]
stable/5.14: [bef2b32a149030babba8ad5d2b6c121638fb911d]

CVE-2021-3892: memory leak in fib6_rule_suppress could result in DoS

CVSS v3 score is not provided.

According to the red hat
bugzilla(https://bugzilla.redhat.com/show_bug.cgi?id=2014623) it said
that "The kernel leaks memory when firewalld IPv6_rpfilter is enabled
and a suppress_prefix rule is present in the IPv6 routing rules (used
by certain tools such as wg-quick). In such scenarios, every incoming
packet will leak an allocation in ip6_dst_cache slab cache." It seems
like this CVE can do remote DoS attack, however it requires some
conditions to do it.

Fixed status

Not fixed yet.

CVE-2021-34981: Bluetooth CMTP Module Double Free Privilege Escalation
Vulnerability

This CVE is fixed in 5.14-rc1.

Fixed status

mainline: [3cfdf8fcaafa62a4123f92eb0f4a72650da3a479]
stable/4.19: [f8be26b9950710fe50fb45358df5bd01ad18efb7]
stable/4.9: [77c559407276ed4a8854dafc4a5efc8608e51906]
stable/5.10: [1b364f8ede200e79e25df0df588fcedc322518fb]
stable/5.4: [fe201316ac36c48fc3cb2891dfdc8ab68058734d]

CVE-2021-43267: tipc: fix size validations for the MSG_CRYPTO type

This vulnerability was introduced since 5.1-rc1 so before 5.10 kernels
aren't affected by this issue.
The mainline and stable kernels have been fixed.

Fixed status

mainline: [fa40d9734a57bcbfa79a280189799f76c88f7bb0]
stable/5.10: [0b1b3e086b0af2c2faa9938c4db956fe6ce5c965]
stable/5.14: [e029c9828c5b503b11a609fcc7c5840de2db3fb4]

* Updated CVEs

CVE-2021-3772: Invalid chunks may be used to remotely remove existing
associations

This bug is in SCTP stack that attacker may be able to send packet
with spoofed IP address if attacker knows IP address and port number
being used.

Below is a list for backported status in each patch.

* 4f7019c7eb33 ("sctp: use init_tag from inithdr for ABORT chunk")
stable/4.4: backported
stable/4.19: backported
stable/4.9: backported
stable/5.10: backported
stable/5.4: backported

* eae578390804 ("sctp: fix the processing for INIT chunk")
stable/4.4: not yet
stable/4.19: not yet
stable/4.9: not yet
stable/5.10: not yet
stable/5.4: not yet

* 438b95a7c98f ("sctp: fix the processing for INIT_ACK chunk")
stable/4.4: not yet
stable/4.19: not yet
stable/4.9: not yet
stable/5.10: backported
stable/5.4: backported

* a64b341b8695 ("sctp: fix the processing for COOKIE_ECHO chunk")
stable/4.4: not yet
stable/4.19: backported
stable/4.9: not yet
stable/5.10: backported
stable/5.4: backported

* aa0f697e4528 ("sctp: add vtag check in sctp_sf_violation")
stable/4.4: backported
stable/4.19: backported
stable/4.9: backported
stable/5.10: backported
stable/5.4: backported

* ef16b1734f0a ("sctp: add vtag check in sctp_sf_do_8_5_1_E_sa")
stable/4.4: not yet
stable/4.19: backported
stable/4.9: not yet
stable/5.10: backported
stable/5.4: backported

* 9d02831e517a ("sctp: add vtag check in sctp_sf_ootb")
stable/4.4: not yet
stable/4.19: backported
stable/4.9: not yet
stable/5.10: backported
stable/5.4: backported

Fixed status

mainline: [4f7019c7eb33967eb87766e0e4602b5576873680,
eae5783908042a762c24e1bd11876edb91d314b1,
  438b95a7c98f77d51cbf4db021f41b602d750a3f,
a64b341b8695e1c744dd972b39868371b4f68f83,
  aa0f697e45286a6b5f0ceca9418acf54b9099d99,
ef16b1734f0a176277b7bb9c71a6d977a6ef3998,
  9d02831e517aa36ee6bdb453a0eb47bd49923fe3]
stable/4.19: [1f52dfacca7bb315d89f5ece5660b0337809798e,
86044244fc6f9eaec0070cb668e0d500de22dbba,
  aa0f697e45286a6b5f0ceca9418acf54b9099d99,
ef16b1734f0a176277b7bb9c71a6d977a6ef3998,
  9d02831e517aa36ee6bdb453a0eb47bd49923fe3, ]
stable/4.4: [629d2823abf957bcbcba32154f1f6fd49bdb850c,
c0b5302e3a74997b57985b561e776269d1951ac7]
stable/4.9: [42ce7a69f8140783bab908dc29a93c0bcda315d5,
16d0bfb045abf587c72d46dfea56c20c4aeda927]
stable/5.10: [a7112b8eeb14b3db21bc96abc79ca7525d77e129,
c2442f721972ea7c317fbfd55c902616b3151ad5,
  14c1e02b11c2233343573aff90766ef8472f27e7,
dad2486414b5c81697aa5a24383fbb65fad13cae,
  8c50693d25e4ab6873b32bc3cea23b382a94d05f,
ad111d4435d85fd3eeb2c09692030d89f8862401]
stable/5.14: [332933f9ae0a17f6e362ec0f35ed51e7bc8e76d6,
6277d424ead2702798e8b981fb6f51b8ec2304ec,
  7975f42f10380ff9743a7ee94ef3cb81f1a8275d,
44ef3ecbc24a532fde6a8c7b87b3e55d4ad1c1d1,
  dd82b3a345abf6fc325e748469d9d7f477a0b718,
1c255b5f68f4dac3f1f0f24741575aac2325470a,
  0717c71deae69aa3511492c302dd44a2f3722184]
stable/5.4: [5953ee99bab134d74c805a00eaa20fed33f54255,
5fe74d5e4d58262e4adde277ef773032c57e873d,
  d6470c2200253da67a439aa18c9ce32a127c5a61,
0aa322b5fe70204d3d7f9d1d4cd265fdff2e5a1f,
  df527764072c5fb7ede93a41cc8f3acbf41dde8c,
0f5b4c57dc8573bdb9926b17748065ac2104b1d1]

CVE-2021-42327: drm/amdgpu: fix out of bounds write

The parse_write_buffer_into_params() was introduced since 5.9 so
before 5.9 kernels aren't affected by this vulnerability.

This CVE was fixed by 5afa7898ab7a ("drm/amdgpu: fix out of bounds
write"), however next commit 3f4e54bd312d ("drm/amdgpu: Fix even more
out of bound writes from debugfs") said that amdgpu_dm_debugfs.c
contains same issues so it'd be nice to apply 3f4e54bd312d
("drm/amdgpu: Fix even more out of bound writes from debugfs") too.

Fixed status

mainline: [5afa7898ab7a0ec9c28556a91df714bf3c2f725e]
stable/5.10: [eb3b6805e3e9d98b2507201fd061a231988ce623]
stable/5.14: [d3ed72495a59fbfb9377450c8dfe94389a6509a7]

CVE-2021-20322: new DNS Cache Poisoning Attack based on ICMP fragment
needed packets replies

Update stable/5.4 and stable/4.19 fixed revisions.
It seems like stable/4.4 and stable/4.9 need backport following patches.
- 4785305c05b2 ("ipv6: use siphash in rt6_exception_hash()")
- a00df2caffed ("ipv6: make exception cache less predictible")
- 6457378fe796 ("ipv4: use siphash instead of Jenkins in fnhe_hashfun()")

Fixed status

mainline: [4785305c05b25a242e5314cc821f54ade4c18810,
6457378fe796815c973f631a1904e147d6ee33b1,
  a00df2caffed3883c341d5685f830434312e4a43,
67d6d681e15b578c1725bad8ad079e05d1c48a8e]
stable/4.19: [3e6bd2b583f18da9856fc9741ffa200a74a52cba,
6e2856767eb1a9cfcfcd82136928037f04920e97,
  ad829847ad59af8e26a1f1c345716099abbc7a58,
c6d0d68d6da68159948cad3d808d61bb291a0283]
stable/4.4: [bed8941fbdb72a61f6348c4deb0db69c4de87aca]
stable/4.9: [f10ce783bcc4d8ea454563a7d56ae781640e7dcb]
stable/5.10: [8692f0bb29927d13a871b198adff1d336a8d2d00,
5867e20e1808acd0c832ddea2587e5ee49813874,
  dced8347a727528b388f04820f48166f1e651af6,
beefd5f0c63a31a83bc5a99e6888af884745684b]
stable/5.14: [4785305c05b25a242e5314cc821f54ade4c18810,
6457378fe796815c973f631a1904e147d6ee33b1,
  55938482a1461a35087c6f3051f8447662889ea8,
4589a12dcf80af31137ef202be1ff4a321707a73]
stable/5.4: [3f439c231a035bab056a5e20b1fd16f4c4c483c1,
4ba6c163fe64e0836acd0708962fb30cf78dbd42,
  f73cbdd1b8e7ea32c66138426f826c8734b70c18,
e46e23c289f62ccd8e2230d9ce652072d777ff30]

CVE-2021-42739: media: firewire: firedtv-avc: fix a buffer overflow in
avc_ca_pmt()

According to the cip-kernel-config repo, no CIP member uses firewire driver.

Fixed status

mainline: [35d2969ea3c7d32aee78066b1f3cf61a0d935a4e]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2021-3640: UAF in sco_send_frame function

Fixed in bluetooth-next tree.

https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/net/bluetooth/sco.c?id=99c23da0eed4fd20cae8243f2b51e10e66aa0951

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,


-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com