Re: New CVE entry this week

Nobuhiro Iwamatsu


-----Original Message-----
From: cip-dev@... [mailto:cip-dev@...] On Behalf Of Masami Ichikawa
Sent: Thursday, October 21, 2021 10:21 AM
To: cip-dev <cip-dev@...>
Subject: [cip-dev] New CVE entry this week

Hi !

It's this week's CVE report.

This week reported 7 new CVEs.

* New CVEs

CVE-2021-20320: kernel: s390 eBPF JIT miscompilation issues fixes.

This bug is in BPF subsystem and s390 architecture specific. Patches
haven't been backported to 4.4 kernel. However, according to the
cip-kernel-config, it looks like no one uses s390, so can it ignore it
until someone backport patches?

CVSS v3 score is not provided.

Fixed status

mainline: [db7bee653859ef7179be933e7d1384644f795f26,
stable/4.19: [ddf58efd05b5d16d86ea4638675e8bd397320930]
stable/4.9: [c22cf38428cb910f1996839c917e9238d2e44d4b,
stable/5.10: [d92d3a9c2b6541f29f800fc2bd44620578b8f8a6,
stable/5.14: [7a31ec4d215a800b504de74b248795f8be666f8e,

CVE-2021-20321: kernel: In Overlayfs missing a check for a negative
dentry before calling vfs_rename()

CVSS v3 score is not provided.

A local attacker can escalate their privileges up to root via
overlayfs vulnerability.
Patch for 4.4 is applied
failed( It
needs to modify the patch. I attached a patch, if it looks good, I'll
send it to the stable mailing list.
Thanks, I checked your patch. LGTM.

Best regards,

Join to automatically receive all group messages.