Hi !

It's this week's CVE report.

This week reported 3 CVEs and no updated CVEs.

* New CVEs

CVE-2021-33655: When sending malicous data to kernel by ioctl cmd
FBIOPUT_VSCREENINFO,kernel will write memory out of bounds.

CVSS v3 score is not assigned.

This vulnerability allows buffer overwrite when a user passes an
invalid font size.
There are three patches in the mainline. Each commit contains an
affected version.

e64242c ("fbcon: Prevent that screen size is smaller than font size"): 5.4+
65a01e6 ("fbcon: Disallow setting font bigger than screen size"): 4.14+
6c11df5 ("fbmem: Check virtual screen sizes in fb_set_var()"): 5.4+

Fixed status
mainline: [e64242caef18b4a5840b0e7a9bff37abd4f4f933,
65a01e601dbba8b7a51a2677811f70f783766682,
6c11df58fd1ac0aefcb3b227f72769272b939e56]
stable/5.10: [cecb806c766c78e1be62b6b7b1483ef59bbaeabe]
stable/5.15: [9c9e44bb3dd5233232f2379c2dde0e403b1fd642]
stable/5.18: [365b729e36ca942f4d2d184afc8486017504a597]
stable/5.4: [af93e821973426ded00158ea66a977039483997e]

CVE-2021-33656: When setting font with malicous data by ioctl cmd
PIO_FONT,kernel will write memory out of bounds.

CVSS v3 score is not assigned.

This vulnerability requires a user to have permission to access a
console device(e.g. /dev/tth1).

Fixed status
mainline: [ff2047fb755d4415ec3c70ac799889371151796d]
stable/4.14: [259742e9ad3551d5be58cd4754e65e0aabc1f9c8]
stable/4.19: [b15d5731b708a2190fec836990b8aefbbf36b07a]
stable/4.9: [dc1421db273b725ebe90978a4b2d9bfba5cef702]
stable/5.10: [3acb7dc242ca25eb258493b513ef2f4b0f2a9ad1]
stable/5.4: [c87e851b23e5cb2ba90a3049ef38340ed7d5746f]

CVE-2022-21505: Kernel lockdown bypass bug

CVSS v3 score is not assigned.

When UEFI Secure Boot is disable and linux boots with
"ima_appraise=log" parameter, user is able to do kexec even if the
lockdown feature is enabled.
A reporter attached a
patch(https://www.openwall.com/lists/oss-security/2022/07/19/4) but it
hasn't been merged yet.
This vulnerability was introduced by commit 29d3c1c ("kexec: Allow
kexec_file() with appropriate IMA policy when locked down") which was
merged in 5.4. Less than 5.4 kernels aren't affected by this issue.

Fixed status
Patch is available but not merged yet

* Updated CVEs

No updated CVEs this week.

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@...
:masami.ichikawa@...