Hi, Jan-san, Minda-san,

Please find the CVE report as follows.
In the analysis of those CVEs, we found some doubts about the configs.

- CVE-2020-35519 is relating to X.25.
X.25 is enabled as follows, but we wonder whether X.25 is really used or not.
>     4.4.y-cip/x86/plathome_obsvx1.config:CONFIG_X25=m
>     4.19.y-cip-rt/x86/siemens_i386-rt.config:CONFIG_X25=m
>     5.10.y-cip-rt/x86/siemens_i386-rt_defconfig:CONFIG_X25=m

Please confirm, and let us know whether X.25 should be disabled.

- CVE-2021-20261 is relating to floppy.
It is enabled as follows.
>     4.4.y-cip-rt/x86/siemens_i386-rt.config:CONFIG_BLK_DEV_FD=m

Please confirm that this can be also disabled.

Best regards,
--
M. Kudo

> -----Original Message-----
> From: Chen-Yu Tsai <wens@csie.org>
> Sent: Thursday, March 18, 2021 5:48 PM
> To: cip-dev@lists.cip-project.org
> Cc: Pavel Machek <pavel@denx.de>; Nobuhiro Iwamatsu
> <nobuhiro1.iwamatsu@toshiba.co.jp>; 工藤　雅司（CTJ　OSS事業推進室）
> <masashi.kudo@cybertrust.co.jp>
> Subject: Cip-kernel-sec Updates for Week of 2021-03-18
> 
> Hi everyone,
> 
> Six new issues this week from the Ubuntu tracker:
> 
> - CVE-2020-35519 [net/x25: buffer overflow] - fixed
>   Looks like a few configs still have X.25 enabled:
>     4.4.y-cip/x86/plathome_obsvx1.config:CONFIG_X25=m
>     4.19.y-cip-rt/x86/siemens_i386-rt.config:CONFIG_X25=m
>     5.10.y-cip-rt/x86/siemens_i386-rt_defconfig:CONFIG_X25=m
>   Maybe they should be revisited? cip-kernel-config also gives warnings
>   for CONFIG_X25.
> 
> - CVE-2021-20219 [improper synchronization in flush_to_ldisc()] - likely RedHat
> only
>   Report mentions incorrect backport in RedHat kernels.
> 
> - CVE-2021-20261 [floppy: race condition data corruption] - fixed
>   No member enables this except:
>     4.4.y-cip-rt/x86/siemens_i386-rt.config:CONFIG_BLK_DEV_FD=m
>   which should probably be turned off.
> 
> - CVE-2021-28375 [fastrpc: allows sending kernel RPCs] - fixed
>   No member enables this.
> 
> - CVE-2021-28660 [rtl8188eu: array access out-of-bounds] - fixed
>   No member enables this.
> 
> - CVE-2021-3428 [integer overflow in ext4_es_cache_extent] - unclear [1]
>   Requires a specially-crafted ext4 FS image, so we likely don't care.
> 
> Unfortunately Debian's Salsa service, where the Debian kernel security issue
> tracker is hosted, is currently down, so we only have one source of data this week.
> 
> 
> Regards
> ChenYu
> 
> 
> [1] https://lore.kernel.org/stable/20210317151834.GE2541@quack2.suse.cz/