New CVE entries in this week


Masami Ichikawa
 

Hi !

It's this week's CVE report.

This week reported six new CVEs.

* New CVEs

CVE-2021-45469: f2fs: fix to do sanity check on last xattr entry in
__f2fs_setxattr()

CVSS v3 score is not provided

OOB access bug in __f2fs_setxattr().

Although it is fixed in stable trees, the patch isn't merged in the
mainline yet at 2021/12/30. The commit 5598b24 ("f2fs: fix to do
sanity check on last xattr entry in __f2fs_setxattr()") is in
https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=dev&id=5598b24efaf4892741c798b425d543e4bed357a1
but not in the mainline.

Fixed status

stable/4.19: [f9dfa44be0fb5e8426183a70f69a246cf5827f49]
stable/5.10: [fffb6581a23add416239dfcf7e7f3980c6b913da]

CVE-2021-4154: cgroup: verify that source is a string

CVSS v3 score is not provided

UAF bug was found in cgroup v1 code which was introduced by commit
8d2451f4994f ("cgroup1: switch to option-by-option parsing"). This
commit was merged at 5.1-rc1. This bug will cause local DoS.
The mainline and stable kernels are fixed.

Fixed status

mainline: [3b0462726e7ef281c35a7a4ae33e93ee2bc9975b]
stable/5.10: [811763e3beb6c922d168e9f509ec593e9240842e]
stable/5.4: [c17363ccd620c1a57ede00d5c777f0b8624debe6]

CVE-2021-4157: pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()

CVSS v3 score is not provided

This OOB write bug was introduced by commit d67ae82 ("pnfs/flexfiles:
Add the FlexFile Layout Driver") which was merged at 4.0-rc1. A local
attacker could do system crash or escalate privileges on the system.
The mainline and stable kernels are fixed.

Fixed status

mainline: [ed34695e15aba74f45247f1ee2cf7e09d449f925]
stable/4.14: [40286f0852d2ecfa713438199557c706dc6a8db3]
stable/4.19: [f27638a92f77d8107efbaf48a0d3bfa24da8cdad]
stable/4.4: [0c5ccd5e2a2e291774618c24c459fa397fd1b7da]
stable/4.9: [c621f3654bba1096ec913d0942e27bd032bb6090]
stable/5.10: [1fbea60ea658ab887fb899532d783732b04e53e6]
stable/5.4: [89862bd77e9cf511628eb7a97fe7f8d246192eec]

CVE-2021-45480: rds: memory leak in __rds_conn_create()

CVSS v3 score is not provided

This bug was introdued by commit aced3ce57cd3 ("RDS tcp loopback
connection can hang") which was merged at 5.13-rc4.

Fixed status

mainline: [5f9562ebe710c307adc5f666bf1a2162ee7977c0]
stable/4.19: [1ed173726c1a0082e9d77c7d5a85411e85bdd983]
stable/5.10: [74dc97dfb276542f12746d706abef63364d816bb]
stable/5.15: [68014890e4382ff9192e1357be39b7d0455665fa]
stable/5.4: [166f0adf7e7525c87595ceadb21a91e2a9519a1e]

CVE-2021-45485: ipv6: use prandom_u32() for ID generation

CVSS v3 score is not provided

CVE-2021-45485 and CVE-2021-45486 are related issue. A bug fixed
commit 62f20e0 is a complement to aa6dd21 ("inet: use bigger hash
table for IP ID generation") which is CVE-2021-45486.
The mainline and stable kernels are fixed.

Fixed status

mainline: [62f20e068ccc50d6ab66fdb72ba90da2b9418c99]
stable/4.14: [4b55d7b3106a410cdab4ea60f5e55ca0668c6a09]
stable/4.19: [f0be58ec9931907e980cf21737e51d369808eb95]
stable/4.4: [c43fa9ee9f1de295474a28903607f84209d7e611]
stable/4.9: [3fc852e59c0a48094cc0f1b2e866604986bbcd31]
stable/5.10: [8f939b79579715b195dc3ad36669707fce6853ee]
stable/5.4: [ccde03a6a0fbdc3c0ba81930e629b8b14974cce4]

CVE-2021-45486: inet: use bigger hash table for IP ID generation

CVE-2021-45485 and CVE-2021-45486 are related issue. This CVE fixes
commit 73f156a ("inetpeer: get rid of ip_id_count"). The commit
73f156a was merged at 3.16-rc1.
The mainline and stable kernels are fixed.

Fixed status

mainline: [aa6dd211e4b1dde9d5dc25d699d35f789ae7eeba]
stable/4.14: [3ba51ed2c3ac36aa947d0b250d318de6ed7cf552]
stable/4.19: [7f7e23df8509e072593200400a4b094cc44376d2]
stable/4.4: [8fb8c138b5d69128964e54e1b5ee49fc395f011c]
stable/4.9: [0889f0a3bb2de535f48424491d8f9d5954a3cde8]
stable/5.10: [a273c27d7255fc527023edeb528386d1b64bedf5]
stable/5.4: [fee81285bd09ec2080ce2cbb5063aad0e58eb272]

* Updated CVEs

no updated CVEs.

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,

--
/**
* Masami Ichikawa
* personal: masami256@...
* fedora project: masami@...
*/


Pavel Machek
 

Hi!

CVE-2021-45469: f2fs: fix to do sanity check on last xattr entry in
__f2fs_setxattr()

CVSS v3 score is not provided

OOB access bug in __f2fs_setxattr().

Although it is fixed in stable trees, the patch isn't merged in the
mainline yet at 2021/12/30. The commit 5598b24 ("f2fs: fix to do
sanity check on last xattr entry in __f2fs_setxattr()") is in
https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=dev&id=5598b24efaf4892741c798b425d543e4bed357a1
but not in the mainline.
Interesting. That's wrong and unusual for stable tree.

CVE-2021-45480: rds: memory leak in __rds_conn_create()

CVSS v3 score is not provided

This bug was introdued by commit aced3ce57cd3 ("RDS tcp loopback
connection can hang") which was merged at 5.13-rc4.
It was also merged in 4.19-stable as 0a3158ac5999fe. That's why we see
4.19 tree needing the fix. 4.4 is not affected. Good.

mainline: [5f9562ebe710c307adc5f666bf1a2162ee7977c0]
stable/4.19: [1ed173726c1a0082e9d77c7d5a85411e85bdd983]
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Masami Ichikawa
 

Hi !

On Thu, Dec 30, 2021 at 7:20 PM Pavel Machek <pavel@...> wrote:

Hi!

CVE-2021-45469: f2fs: fix to do sanity check on last xattr entry in
__f2fs_setxattr()

CVSS v3 score is not provided

OOB access bug in __f2fs_setxattr().

Although it is fixed in stable trees, the patch isn't merged in the
mainline yet at 2021/12/30. The commit 5598b24 ("f2fs: fix to do
sanity check on last xattr entry in __f2fs_setxattr()") is in
https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=dev&id=5598b24efaf4892741c798b425d543e4bed357a1
but not in the mainline.
Interesting. That's wrong and unusual for stable tree.

CVE-2021-45480: rds: memory leak in __rds_conn_create()

CVSS v3 score is not provided

This bug was introdued by commit aced3ce57cd3 ("RDS tcp loopback
connection can hang") which was merged at 5.13-rc4.
It was also merged in 4.19-stable as 0a3158ac5999fe. That's why we see
4.19 tree needing the fix. 4.4 is not affected. Good.
Thank you for the information.

mainline: [5f9562ebe710c307adc5f666bf1a2162ee7977c0]
stable/4.19: [1ed173726c1a0082e9d77c7d5a85411e85bdd983]
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Regards,
--
/**
* Masami Ichikawa
* personal: masami256@...
* fedora project: masami@...
*/