Date
1 - 5 of 5
Cip-kernel-sec Updates for Week of 2021-02-11
|
Chen-Yu Tsai (Moxa) <wens@...>
Hi everyone,
Six new issues this week: - CVE-2020-12362, CVE-2020-12363, CVE-2020-12364: CVEs from Intel Advisory affecting Intel Graphics Driver. Details unknown - CVE-2021-20194 [bpf heap overflow] - fixed for relevant kernels - CVE-2021-20226 [io_uring UAF] - likely a duplicate of CVE-2020-29534, already fixed - CVE-2021-26708 [AF_VSOCK: local priv. escalation] - fixed for relevant kernels Additionally, CVE-2021-3347 is fixed for 4.4 and 4.9. I still need to match patches for 4.4 against 4.9, but it looks like the fixes are there. Regards ChenYu
|
|
|
|
Chen-Yu Tsai (Moxa) <wens@...>
On Thu, Feb 11, 2021 at 4:50 PM Chen-Yu Tsai <wens@csie.org> wrote:
Based on fixes for 4.9 reported by Debian, CVE-2021-3347 is now fixed for 4.4 by 6510e4a2d04f33e4bfd221760faab23e55d8772b..46358277b2da868763517f79aa0ac25ce78c4f68 inclusive. Lee Jones just posted a few follow-up fixes for futexes for 4.9 [1]. I wonder if they would also be posted for 4.4. Regards ChenYu [1] https://lore.kernel.org/stable/20210211092700.11772-1-lee.jones@linaro.org/
|
|
|
|
Pavel Machek
Hi!
Six new issues this week:It seems there's more for the intel graphics, but it is not mentioned in our repository. OTOH trailer there that these are rather old issues, fixed in 5.5... Best regards, Pavel https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00438.html CVEID: CVE-2020-0544 Description: Insufficient control flow management in the kernel mode driver for some Intel(R) Graphics Drivers before version 15.36.39.5145 may allow an authenticated user to potentially enable escalation of privilege via local access. CVSS Base Score: 8.8 High CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVEID: CVE-2020-0521 Description: Insufficient control flow management in some Intel(R) Graphics Drivers before version 15.45.32.5145 may allow an authenticated user to potentially enable escalation of privilege via local access. CVSS Base Score: 7.7 High CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L ... Affected Products: Intel® Graphics Drivers for 3rd, 4th, 5th, 6th, 7th, 8th, 9th and 10th Generation Intel® Processors for Windows* 7, 8.1 and 10 before versions 15.33.51.5146, 15.36.39.5145, 15.40.46.5144, 15.45.32.5164, 26.20.100.8141, 27.20.100.8587 and Intel® Graphics Drivers for Linux before Linux kernel version 5.5. Best regards, Pavel -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
|
|
|
|
Chen-Yu Tsai (Moxa) <wens@...>
Hi,
On Thu, Feb 11, 2021 at 7:39 PM Pavel Machek <pavel@denx.de> wrote: Looks like CVE-2020-0544 and CVE-2020-0521 are for Windows. Debian lists them as such [1][2]. Seems the Intel advisory directly refers to Linux drivers by kernel version. Any other version string likely refers to the Windows drivers. ChenYu [1] https://security-tracker.debian.org/tracker/CVE-2020-0521 [2] https://security-tracker.debian.org/tracker/CVE-2020-0544 Best regards,
|
|
|
|
Chen-Yu Tsai (Moxa) <wens@...>
Hi,
On Thu, Feb 11, 2021 at 4:50 PM Chen-Yu Tsai <wens@csie.org> wrote: So the fix for these three are a firmware update. However to use the newer firmware, a kernel patch [1] is required. Not sure how we should mark this in our repository... ignore or fixed by said patch? Thanks ChenYu [1] https://git.kernel.org/linus/c784e5249e773689e38d2bc1749f08b986621a26 - CVE-2021-20194 [bpf heap overflow] - fixed for relevant kernels
|
|
|