Hi ! It's this week's CVE report. This week reported 7 new CVEs. * New CVEs CVE-2021-20320: kernel: s390 eBPF JIT miscompilation issues fixes. This bug is in BPF subsystem and s390 architecture specific. Patches haven't been backported to 4.4 kernel. However, according to the cip-kernel-config, it looks like no one uses s390, so can it ignore it until someone backport patches? CVSS v3 score is not provided. Fixed status mainline: [db7bee653859ef7179be933e7d1384644f795f26, 6e61dc9da0b7a0d91d57c2e20b5ea4fd2d4e7e53, 1511df6f5e9ef32826f20db2ee81f8527154dc14] stable/4.19: [ddf58efd05b5d16d86ea4638675e8bd397320930] stable/4.9: [c22cf38428cb910f1996839c917e9238d2e44d4b, 8a09222a512bf7b32e55bb89a033e08522798299] stable/5.10: [d92d3a9c2b6541f29f800fc2bd44620578b8f8a6, 4320c222c2ffe778a8aff5b8bc4ac33af6d54eba, ab7cf225016159bc2c3590be6fa12965565d903b] stable/5.14: [7a31ec4d215a800b504de74b248795f8be666f8e, 6a8787093b04057d855822094d63d04a2506444a, a7593244dc31ad0eea70319f6110975f9c738dca] CVE-2021-20321: kernel: In Overlayfs missing a check for a negative dentry before calling vfs_rename() CVSS v3 score is not provided. A local attacker can escalate their privileges up to root via overlayfs vulnerability. Patch for 4.4 is applied failed(https://lore.kernel.org/stable/163378772914820@kroah.com/). It needs to modify the patch. I attached a patch, if it looks good, I'll send it to the stable mailing list. Fixed status mainline: [a295aef603e109a47af355477326bd41151765b6] stable/4.14: [1caaa820915d802328bc72e4de0d5b1629eab5da] stable/4.19: [9d4969d8b5073d02059bae3f1b8d9a20cf023c55] stable/4.9: [286f94453fb34f7bd6b696861c89f9a13f498721] stable/5.10: [9763ffd4da217adfcbdcd519e9f434dfa3952fc3] stable/5.14: [71b8b36187af58f9e67b25021f5debbc04a18a5d] stable/5.4: [fab338f33c25c4816ca0b2d83a04a0097c2c4aaf] CVE-2021-3847: low-privileged user privileges escalation CVSS v3 score is not provided. A Local attacker can escalate their privileges up to root by overlay fs's vulnerability (https://www.openwall.com/lists/oss-security/2021/10/14/3). Fixed status Not fixed yet. CVE-2021-42252: soc: aspeed: lpc-ctrl: Fix boundary check for mmap CVSS v3 score is not provided. This bug has been introduced since 4.12-rc1. so all stable kernels are fixed. Fixed status mainline: [b49a0e69a7b1a68c8d3f64097d06dabb770fec96] stable/4.14: [b1b55e4073d3da6119ecc41636a2994b67a2be37] stable/4.19: [9c8891b638319ddba9cfa330247922cd960c95b0] stable/5.10: [3fdf2feb6cbe76c6867224ed8527b356e805352c] stable/5.14: [865f5ba9fdfc3ac6acabcac9630056ce99db600d] stable/5.4: [2712f29c44f18db826c7e093915a727b6f3a20e4] CVE-2021-20322: new DNS Cache Poisoning Attack based on ICMP fragment needed packets replies CVSS v3 score is not provided. A flaw in the processing of the received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux kernel functionality was found that allows to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypassing source port UDP randomization. This flaw is similar to the previous CVE-2020-25705 (both DNS poisoning attack based on ICMP replies for open ports scanning, but other type of ICMP packets). Commit 4785305c ("ipv6: use siphash in rt6_exception_hash()") fixes 35732d01 ("ipv6: introduce a hash table to store dst cache") which was merged in 4.15-rc1. stable/4.4 doesn't contain upstream commit 35732d01. stable/4.19 contains upstream commit 35732d01. Commit 6457378f ("ipv4: use siphash instead of Jenkins in fnhe_hashfun()") fixes d546c621 ("ipv4: harden fnhe_hashfun()") which was merged in 3.18-rc1 stable/4.4 and stable/4.19 contain upstream commit d546c621. Commit a00df2ca ("ipv6: make exception cache less predictible") fixes 35732d01 ("ipv6: introduce a hash table to store dst cache") which was merged in 4.15-rc1. stable/4.4 doesn't contain upstream commit 35732d01. stable/4.19 contains upstream commit 35732d01. Commit 67d6d681 ("ipv4: make exception cache less predictible") fixes 4895c771 ("ipv4: Add FIB nexthop exceptions.") which was merged in 3.6-rc1. stable/4.19 applied this patch at commit 3e6bd2b5. stable/4.4 applied this patch at commit bed8941f. Fixed status mainline: [4785305c05b25a242e5314cc821f54ade4c18810, 6457378fe796815c973f631a1904e147d6ee33b1, a00df2caffed3883c341d5685f830434312e4a43, 67d6d681e15b578c1725bad8ad079e05d1c48a8e] stable/4.19: [3e6bd2b583f18da9856fc9741ffa200a74a52cba] stable/4.4: [bed8941fbdb72a61f6348c4deb0db69c4de87aca] stable/4.9: [f10ce783bcc4d8ea454563a7d56ae781640e7dcb] stable/5.10: [8692f0bb29927d13a871b198adff1d336a8d2d00, 5867e20e1808acd0c832ddea2587e5ee49813874, dced8347a727528b388f04820f48166f1e651af6, beefd5f0c63a31a83bc5a99e6888af884745684b] stable/5.14: [4785305c05b25a242e5314cc821f54ade4c18810, 6457378fe796815c973f631a1904e147d6ee33b1, 55938482a1461a35087c6f3051f8447662889ea8, 4589a12dcf80af31137ef202be1ff4a321707a73] CVE-2021-42739: A buffer overflow bug is found in the firewire subsystem CVSS v3 score is not provided. Patches have been sent to Linux Media mailing list but it hasn't been merged in linux-media tree nor mainline yet. According to the cip-kernel-config repo, no CIP member uses firewire driver. Fixed status Not fixed yet. CVE-2021-34866: Linux Kernel eBPF Type Confusion Privilege Escalation Vulnerability CVSS v3 score is not provided. A type confusion bug is found in eBPF subsystem which can leads a local attacker escalates their privileges via this bug. This bug was introduced in commit 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") that has been merged since 5.8-rc1. so before 5.8 kernels aren't affected by this CVE. Fixed status mainline: [5b029a32cfe4600f5e10e36b41778506b90fd4de] stable/5.10: [9dd6f6d89693d8f09af53d2488afad22a8a44a57] * Updated CVEs CVE-2020-29374: gup: document and work around "COW can break either way" issue This bug has been fixed since 5.8-rc1. 4.4 and 4.9 have been fixed this week. All stable kernels are fixed. Fixed status mainline: [17839856fd588f4ab6b789f482ed3ffd7c403e1f] stable/4.14: [407faed92b4a4e2ad900d61ea3831dd597640f29] stable/4.19: [5e24029791e809d641e9ea46a1f99806484e53fc] stable/4.4: [58facc9c7ae307be5ecffc1697552550fedb55bd] stable/4.9: [9bbd42e79720122334226afad9ddcac1c3e6d373] stable/5.4: [1027dc04f557328eb7b7b7eea48698377a959157] CVE-2021-41864: bpf: Fix integer overflow in prealloc_elems_and_freelist() 4.9 and 4.19 have been fixed this week. This bug was introduced in 4.6-rc1 therefore 4.4 doesn't affect. All stable kernels are fixed. Fixed status mainline: [30e29a9a2bc6a4888335a6ede968b75cd329657a] stable/4.14: [f34bcd10c4832d491049905d25ea3f46a410c426] stable/4.19: [078cdd572408176a3900a6eb5a403db0da22f8e0] stable/4.9: [4fd6663eb01bc3c73143cd27fefd7b8351bc6aa6] stable/5.10: [064faa8e8a9b50f5010c5aa5740e06d477677a89] stable/5.14: [3a1ac1e368bedae2777d9a7cfdc65df4859f7e71] stable/5.4: [b14f28126c51533bb329379f65de5b0dd689b13a] Currently tracking CVEs CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in Bluetooth Core Specifications 4.0 through 5.2 There is no fix information. CVE-2021-3640: UAF in sco_send_frame function Fixed in bluetooth-next tree. https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/net/bluetooth/sco.c?id=99c23da0eed4fd20cae8243f2b51e10e66aa0951 CVE-2020-26555: BR/EDR pin code pairing broken No fix information CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning No fix information. CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh Provisioning Leads to MITM No fix information. CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning No fix information. CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning No fix information. Regards, -- Masami Ichikawa Cybertrust Japan Co., Ltd. Email :masami.ichikawa@cybertrust.co.jp :masami.ichikawa@miraclelinux.com