Re: Cip-kernel-sec Updates for Week of 2021-02-04


masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
 

Hi, Chen-Yu san,

Thanks for reporting this!

Best regards,
--
M. Kudo

-----Original Message-----
From: Chen-Yu Tsai <wens@csie.org>
Sent: Friday, February 5, 2021 11:33 AM
To: cip-dev@lists.cip-project.org
Cc: Pavel Machek <pavel@denx.de>; Nobuhiro Iwamatsu
<nobuhiro1.iwamatsu@toshiba.co.jp>; 工藤 雅司(CTJ OSS事業推進室)
<masashi.kudo@cybertrust.co.jp>
Subject: Re: Cip-kernel-sec Updates for Week of 2021-02-04

On Thu, Feb 4, 2021 at 1:26 PM Chen-Yu Tsai <wens@csie.org> wrote:

Hi everyone,

Two new issue this week:
- CVE-2021-3347 [UAF in futex]: fixed for 4.14 and later [1]
- CVE-2021-3348 [nbd: UAF when adding connections while operations are
running]: fixed in all kernels

For CVE-2021-3347, based on [1], more patches are needed for 4.4 and 4.9.
The second batch:

12bb3f7f1b03d5913b3f9d4236a488aa7774dfe9..34b1a1ce1458f50ef27c54e28eb
9
b1947012907a
inclusive

has not been included yet. Lee Jones seems to be handling it [2].
FTR, a second backport series for 4.4 was also posted:

https://lore.kernel.org/stable/20210204172903.2860981-1-lee.jones@linaro.org
/


ChenYu

For CVE-2020-27825 from two weeks ago, the fix has been backported to
all stable kernels.

For CVE-2020-16120, Ubuntu mentions a regression due to the backported fix
[3].
We probably don't care either way since this requires unprivileged
user namespace is enabled.


Regards
ChenYu

[1]
https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.gi
t/tree/pending/futex_issues.txt [2]
https://lore.kernel.org/stable/20210203134539.2583943-1-lee.jones@lina
ro.org/ [2]
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1900141

Join cip-dev@lists.cip-project.org to automatically receive all group messages.