Hi !

It's this week's CVE report.

This week reported 1 new CVEs and 2 updated CVEs.

ProjectZero recently published a technique for exploiting a Null
pointer dereference on a modern
kernel(https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html).
In this article, it recommended the oops_limit feature to prevent this
exploitation technique. The oops_limit feature has been backported to
6.1.y (https://lore.kernel.org/stable/202301191532.AEEC765@keescook/T/#u).
The oops_limit patches are available on 5.10
(https://lore.kernel.org/stable/20230124193004.206841-1-ebiggers@kernel.org/)
and 5.15 (https://lore.kernel.org/stable/20230124185110.143857-1-ebiggers@kernel.org/)

* New CVEs

CVE-2023-0468: use-after-free in io_uring poll events due to race condition

CVSS v3 score is not provided

A use-after-free flaw was found in io_uring/poll.c in
io_poll_check_events in the io_uring subcomponent in the Linux Kernel
due to a race condition of poll_refs.
This flaw may cause a NULL pointer dereference.

This bug was introduced by commit aa43477 ("io_uring: poll rework") in 5.17-rc1.
This commit was backported to 5.15 so 5.15 is affected. It isn't
backported to 5.4 and 5.10.

Fixed status
mainline: [12ad3d2d6c5b0131a6052de91360849e3e154846,
a26a35e9019fd70bf3cf647dcfdae87abc7bacea]
stable/5.15: [df4b177b48516da64b988722a22d93d257dcda9a,
4b702b7d11ce1b9d26fc6d7c5a7ef4ac1d455048]

* Updated CVEs

CVE-2023-0179: netfilter: nft_payload: incorrect arithmetics when
fetching VLAN header bits

Fixed status
mainline: [696e1a48b1a1b01edad542a1ef293665864a4dd0]
stable/5.10: [550efeff989b041f3746118c0ddd863c39ddc1aa]
stable/5.15: [a8acfe2c6fb99f9375a9325807a179cd8c32e6e3]
stable/6.1: [76ef74d4a379faa451003621a84e3498044e7aa3]

CVE-2022-4842: fs/ntfs3: Fix attr_punch_hole() null pointer dereference

5.15 and 6.1 were fixed.

Fixed status
mainline: [6d5c9e79b726cc473d40e9cb60976dbe8e669624]
stable/5.15: [9cca110cf8bb0653b423dba7a7c4cc23ccf91b28]
stable/6.1: [ff3b1a624380c14b81f4e51c48e404a45f047aab]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@...
:masami.ichikawa@...