Re: New CVE Entries in this week

Masami Ichikawa


On Thu, Nov 4, 2021 at 6:57 PM Pavel Machek <pavel@...> wrote:


CVE-2021-34981: Bluetooth CMTP Module Double Free Privilege Escalation

This CVE is fixed in 5.14-rc1.

Fixed status

mainline: [3cfdf8fcaafa62a4123f92eb0f4a72650da3a479]
stable/4.19: [f8be26b9950710fe50fb45358df5bd01ad18efb7]
stable/4.9: [77c559407276ed4a8854dafc4a5efc8608e51906]
stable/5.10: [1b364f8ede200e79e25df0df588fcedc322518fb]
stable/5.4: [fe201316ac36c48fc3cb2891dfdc8ab68058734d]
This seems to be fixed in stable/4.4, too, as
61a811e8f5229264b822361f8b23d7638fd8c914. And cip-kernel-sec says so,
Thanks. I accidentally removed stable/4.4 from the above list.
CVE-2021-34981.yml contains stable/4.4 too.

CVE-2021-43267: tipc: fix size validations for the MSG_CRYPTO type

This vulnerability was introduced since 5.1-rc1 so before 5.10 kernels
aren't affected by this issue.
The mainline and stable kernels have been fixed.
AFAICT the vulnerability was introduced by 1ef6f7c9390f in
5.9-rc3. But that does not change anything for us.

* Updated CVEs

CVE-2021-3772: Invalid chunks may be used to remotely remove existing

This bug is in SCTP stack that attacker may be able to send packet
with spoofed IP address if attacker knows IP address and port number
being used.
AFAICT it is more of "if attacker can send packets with spoofed IP
addresses, he can...". Many of our configs use SCTP.
NVD hasn't given CVSS v3 Scores yet. However Red Hat and SUSE both
give it a score of 5.9. So it looks like it's not too serious issue.
Of course, it'd be nice to have patches.

CVE-2021-42327: drm/amdgpu: fix out of bounds write

The parse_write_buffer_into_params() was introduced since 5.9 so
before 5.9 kernels aren't affected by this vulnerability.

This CVE was fixed by 5afa7898ab7a ("drm/amdgpu: fix out of bounds
write"), however next commit 3f4e54bd312d ("drm/amdgpu: Fix even more
out of bound writes from debugfs") said that amdgpu_dm_debugfs.c
contains same issues so it'd be nice to apply 3f4e54bd312d
("drm/amdgpu: Fix even more out of bound writes from debugfs") too.
This looks quite easy to fix, OTOH CIP configs do not use amdgpu and
it is not too serious in the fist place.
I agree.

CVE-2021-20322: new DNS Cache Poisoning Attack based on ICMP fragment
needed packets replies

Update stable/5.4 and stable/4.19 fixed revisions.
It seems like stable/4.4 and stable/4.9 need backport following patches.
- 4785305c05b2 ("ipv6: use siphash in rt6_exception_hash()")
- a00df2caffed ("ipv6: make exception cache less predictible")
- 6457378fe796 ("ipv4: use siphash instead of Jenkins in
It would not be bad to understand the problem in the first place. Yes,
I guess different hashes have different qualities, but...

Best regards,
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@...

Join to automatically receive all group messages.