New CVE entries in this week


Masami Ichikawa
 

Hi !

It's this week's CVE report.

This week reported 4 new CVEs.

* New CVEs

CVE-2022-0322: sctp: account stream padding length for reconf chunk

CVSS v3 score is not provided

This issue was introduced by commit cc16f00 ("sctp: add support for
generating stream reconf ssn reset request chunk") at 4.11-rc1 so 4.9
and 4.4 aren't affected by this issue. All kernels have been fixed.

Fixed status

mainline: [a2d859e3fc97e79d907761550dbc03ff1b36479c]
stable/4.14: [41f0bcc7d9eac315259d4e9fb441552f60e8ec9e]
stable/4.19: [c57fdeff69b152185fafabd37e6bfecfce51efda]
stable/5.10: [d84a69ac410f6228873d05d35120f6bdddab7fc3]
stable/5.4: [d88774539539dcbf825a25e61234f110513f5963]

CVE-2022-0264: bpf: Fix kernel address leakage in atomic fetch

CVSS v3 score is not provided

A local user who has certain privileges is able to gather kernel
internal memory addresses.
This issue was introduced by commit 38086bf ("bpf: Propagate stack
bounds to registers in atomics w/ BPF_FETCH") that was merged in
5.12-rc1-dontuse. Fixed in 5.17-rc1. so before 5.12 kernels aren't
affected this issue.

Fixed status

mainline: [7d3baf0afa3aa9102d6a521a8e4c41888bb79882]
stable/5.15: [423628125a484538111c2c6d9bb1588eb086053b]

CVE-2022-0330: drm/i915: Flush TLBs before releasing backing store

CVSS v3 score is not provided

Vulnerability in the i915 driver. Without an active IOMMU malicious
userspace can gain access (from the
code executing on the GPU) to random memory pages.

Fixed status

mainline: [7938d61591d33394a21bdd7797a245b65428f44c]

CVE-2021-22600: net/packet: rx_owner_map depends on pg_vec

CVSS v3 score: NIST: not provided
CVSS v3 score: CNA: 6.6 medium

A double free bug in packet_set_ring() in net/packet/af_packet.c can
be exploited by a local user through crafted syscalls to escalate
privileges or deny service.
This issue was introduced by commit 61fad68 ("net/packet: tpacket_rcv:
avoid a producer race condition"). This commit was merged in 5.6.
However, it was backported to 5.4, 4.19, and 4.14 so that these
kernels are also affected but 4.4 and 4.9 are not backported.

Fixed status

mainline: [ec6af094ea28f0f2dda1a6a33b14cd57e36a9755]
stable/4.14: [a829ff7c8ec494eca028824628a964cde543dc76]
stable/4.19: [18c73170de6719491f79b04c727ea8314c246b03]
stable/5.10: [7da349f07e457cad135df0920a3f670e423fb5e9]
stable/5.15: [feb116a0ecc5625d6532c616d9a10ef4ef81514b]
stable/5.4: [027a13973dadb64ef4f19db56c9b619ee82c3375]

* Updated CVEs

CVE-2022-0185: vfs: fs_context: fix up param length parsing in
legacy_parse_param

This issue was affected from 5.8 or later kernels so that all stable
kernels have been fixed.

Fixed status

mainline: [722d94847de29310e8aa03fcbdb41fc92c521756]
stable/5.10: [eadde287a62e66b2f9e62d007c59a8f50d4b8413]
stable/5.15: [e192ccc17ecf3e78a1c6fb81badf9b50bd791115]
stable/5.16: [8b1530a3772ae5b49c6d8d171fd3146bb947430f]
stable/5.4: [bd2aed0464ae3d6e83ce064cd91fc1a7fec48826]

CVE-2021-43976: mwifiex_usb: Fix skb_over_panic in mwifiex_usb_recv

An attacker who can connect a crafted USB device to cause a DoS by this issue.
Fixed in the mainline.

Fixed status

mainline: [04d80663f67ccef893061b49ec8a42ff7045ae84]

CVE-2021-45469: f2fs: fix to do sanity check on last xattr entry in
__f2fs_setxattr()

Fixed in the mainline this week. For 4.4, commit ba38c27 ("f2fs:
enhance lookup xattr") and commit 2777e65 ("f2fs: fix to avoid
accessing xattr across the boundary"), and more patches are also
needed.

Fixed status

mainline: [645a3c40ca3d40cc32b4b5972bf2620f2eb5dba6]
stable/4.14: [88dedecc24763c2e0bc1e8eeb35f9f2cd785a7e5]
stable/4.19: [f9dfa44be0fb5e8426183a70f69a246cf5827f49]
stable/5.10: [fffb6581a23add416239dfcf7e7f3980c6b913da]
stable/5.15: [a8a9d753edd7f71e6a2edaa580d8182530b68791]
stable/5.4: [b0406b5ef4e2c4fb21d9e7d5c36a0453b4279e9b]

CVE-2021-4204: eBPF Improper Input Validation Vulnerability

The mainline kernel was fixed this week.

A local attacker can escalate privileges via this bug.
This bug is affecting the 5.8 or later kernel. The commit 457f4436
("bpf: Implement BPF ring buffer and verifier support for it")
introduced this issue.

To mitigate this issue, set kernel.unprivileged_bpf_disabled to 1.


Fixed status

mainline: [be80a1d3f9dbe5aee79a325964f7037fe2d92f30,
d400a6cf1c8a57cdf10f35220ead3284320d85ff,
6788ab23508bddb0a9d88e104284922cb2c22b77,
64620e0a1e712a778095bd35cbb277dc2259281f,
a672b2e36a648afb04ad3bda93b6bda947a479a5,
722e4db3ae0d52b2e3801280afbe19cf2d188e91,
37c8d4807d1b8b521b30310dce97f6695dc2c2c6]


Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
:masami.ichikawa@miraclelinux.com

Join cip-dev@lists.cip-project.org to automatically receive all group messages.