Re: New CVE entries in this week

Pavel Machek


CVE-2021-45095: phonet: refcount leak in pep_sock_accep

CVSS v3 score is not provided

This issue is a refcount leak in pep_sock_accep(). It's been fixed in
the mainline.

Fixed status

mainline: [bcd0f93353326954817a4f9fa55ec57fb38acbb0]
This is Nokia modem stuff. It is enabled in several of our configs,
but I don't think anyone is really using it.

CVE-2021-4149: Improper lock operation in btrfs

CVSS v3 score is not provided

There is a deadlock problem in fs/btrfs/extent-tree.c. This problem
causes a local attacker can do a DoS attack to the system.
The patch specifies the vulnerable kernel version is 5.4 or later.
stable/4.4, stable/4.9, and buf value is not locked in
btrfs_init_new_buffer(). However, stable/4.19 takes a lock in
so it seems 4.19 has same issue.
Fixed status

mainline: [19ea40dddf1833db868533958ca066f368862211]
stable/5.10: [206868a5b6c14adc4098dd3210a2f7510d97a670]
stable/5.4: [005a07c9acd6cf8a40555884f0650dfd4ec23fbe]
This may be worth looking into.

Best regards,
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

Join to automatically receive all group messages.