Hi !

It's this week's CVE report.

This week reported two new CVEs. They have not been fixed in the mainline yet.

* New CVEs

CVE-2021-43975: atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait

CVSS v3 score is not provided.

OOB read/write bug in aQuantia device driver code. Patch was merged
into the netdev tree on Nov 15.

Fixed status

Not fixed in the mainline yet.

CVE-2021-43976: mwifiex_usb: Fix skb_over_panic in mwifiex_usb_recv

CVSS v3 score is not provided.

Bug is in the Marvell WiFi-Ex driver code. Patch is being in reviewed
on the linux-wireless list
(https://patchwork.kernel.org/project/linux-wireless/patch/YX4CqjfRcTa6bVL+@Zekuns-MBP-16.fios-router.home/).

Fixed status

Not yet.

* Updated CVEs

CVE-2021-37159: net: hso: do not call unregister if not registered

4.4 and 4.9 have been fixed. All stable kernels are fixed.

Fixed status

mainline: [a6ecfb39ba9d7316057cea823b196b734f6b18ca]
stable/4.14: [4c0db9c4b3701c29f47bac0721e2f7d2b15d8edb]
stable/4.19: [f6cf22a1ef49f8e131f99c3f5fd80ab6b23a2d21]
stable/4.4: [cbefdf724282e6a948885f379dc92ab841c2fee0]
stable/4.9: [88b912e02d75bacbb957d817db70e6a54ea3a21c]
stable/5.10: [115e4f5b64ae8d9dd933167cafe2070aaac45849]
stable/5.13: [eeaa4b8d1e2e6f10362673d283a97dccc7275afa]
stable/5.4: [fe57d53dd91d7823f1ceef5ea8e9458a4aeb47fa]


CVE-2021-42739: media: firewire: firedtv-avc: fix a buffer overflow in
avc_ca_pmt()

stable/4.14 has been fixed.

Fixed status

stable/4.14: [8d6c05da808f8351db844b69a9d6ce7f295214bb]
stable/4.19: [53ec9dab4eb0a8140fc85760fb50effb526fe219]
stable/5.10: [d7fc85f6104259541ec136199d3bf7c8a736613d]
stable/5.14: [02a476ca886dc8155025fe99cbbad4121d029fa7]
stable/5.15: [cb667140875a3b1db92e4c50b4617a7cbf84659b]
stable/5.4: [2461f38384d50dd966e1db44fe165b1896f5df5a]

CVE-2020-27820: use-after-free in nouveau kernel module

Fixed status

Patches were merged in 5.16-rc1.

mainline: [aff2299e0d81b26304ccc6a1ec0170e437f38efc,
abae9164a421bc4a41a3769f01ebcd1f9d955e0e,
f55aaf63bde0d0336c3823bb3713bd4a464abbcf]

CVE-2021-3640: UAF in sco_send_frame function

Patch was merged in 5.16-rc1. Patch for 4.4, 4.9, 4.14, 4.19, and 5.10
are in the stable-rc tree.

Fixed status

mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951]
stable/5.14: [2c2b295af72e4e30d17556375e100ae65ac0b896]
stable/5.4: [d416020f1a9cc5f903ae66649b2c56d9ad5256ab]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,

--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@...
:masami.ichikawa@...