Re: New CVE entries in this week


Pavel Machek
 

Hi!

CVE-2021-45469: f2fs: fix to do sanity check on last xattr entry in
__f2fs_setxattr()

CVSS v3 score is not provided

OOB access bug in __f2fs_setxattr().

Although it is fixed in stable trees, the patch isn't merged in the
mainline yet at 2021/12/30. The commit 5598b24 ("f2fs: fix to do
sanity check on last xattr entry in __f2fs_setxattr()") is in
https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=dev&id=5598b24efaf4892741c798b425d543e4bed357a1
but not in the mainline.
Interesting. That's wrong and unusual for stable tree.

CVE-2021-45480: rds: memory leak in __rds_conn_create()

CVSS v3 score is not provided

This bug was introdued by commit aced3ce57cd3 ("RDS tcp loopback
connection can hang") which was merged at 5.13-rc4.
It was also merged in 4.19-stable as 0a3158ac5999fe. That's why we see
4.19 tree needing the fix. 4.4 is not affected. Good.

mainline: [5f9562ebe710c307adc5f666bf1a2162ee7977c0]
stable/4.19: [1ed173726c1a0082e9d77c7d5a85411e85bdd983]
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

Join cip-dev@lists.cip-project.org to automatically receive all group messages.