Bug 56387 – linux-latest: Multiple issues (5.0)

Bug 56387 - linux-latest: Multiple issues (5.0)


Summary:	linux-latest: Multiple issues (5.0)

Status:	CLOSED DUPLICATE of bug 56376

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 5.0
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 5.0-4-errata
Assigned To:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2023-08-01 14:32 CEST by Quality Assurance
Modified:	2023-08-14 10:51 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2023-08-01 14:32:48 CEST

New Debian linux-latest 105+deb10u20 fixes:
This update addresses the following issues:
* CVE-2023-1380: A slab-out-of-bound read problem was found in `brcmf_get_assoc_ies` in `drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c` in the Linux Kernel. This issue could occur when `assoc_info->req_len` data is bigger than the size of the buffer, defined as `WL_EXTRA_BUF_MAX`, leading to a denial of service.
* CVE-2023-2002: A vulnerability was found in the `HCI` sockets implementation due to a missing capability check in `net/bluetooth/hci_sock.c` in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication.
* CVE-2023-2007: The specific flaw exists within the "DPT I2O Controller" driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.
* CVE-2023-2269: A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in `table_clear` in `drivers/md/dm-ioctl.c` in the Linux Kernel Device Mapper-Multipathing sub-component.
* CVE-2023-3090: A heap out-of-bounds write vulnerability in the Linux Kernel `ipvlan` network driver can be exploited to achieve local privilege escalation. The out-of-bounds write is caused by missing `skb->cb` initialization in the `ipvlan` network driver. The vulnerability is reachable if `CONFIG_IPVLAN` is enabled.
* CVE-2023-3111: A use after free vulnerability was found in `prepare_to_relocate` in `fs/btrfs/relocation.c` in `btrfs` in the Linux Kernel. This possible flaw can be triggered by calling `btrfs_ioctl_balance()` before calling `btrfs_ioctl_defrag()`.
* CVE-2023-3141: A use-after-free flaw was found in `r592_remove` in `drivers/memstick/host/r592.c` in media access in the Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading to a kernel information leak.
* CVE-2023-3268: An out of bounds (OOB) memory access flaw was found in the Linux kernel in `relay_file_read_start_pos` in `kernel/relay.c` in the `relayfs`. This flaw could allow a local attacker to crash the system or leak kernel internal information.
* CVE-2023-3338: A NULL pointer dereference flaw was found in the Linux kernel's `DECnet` networking protocol. This issue could allow a remote user to crash the system.
* CVE-2023-20593: An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information.
* CVE-2023-31084: An issue was discovered in `drivers/media/dvb-core/dvb_frontend.c` in the Linux kernel. There is a blocking operation when a task is in `!TASK_RUNNING`. In `dvb_frontend_get_event`, `wait_event_interruptible` is called; the condition is `dvb_frontend_test_event(fepriv,events)`. In `dvb_frontend_test_event`, `down(&fepriv->sem)` is called. However, `wait_event_interruptible` would put the process to sleep, and `down(&fepriv->sem)` may block the process.
* CVE-2023-32233: A use-after-free in `Netfilter nf_tables` when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled.
* CVE-2023-34256: There is an out-of-bounds read in `crc16` in `lib/crc16.c` when called from `fs/ext4/super.c` because `ext4_group_desc_csum` does not properly check an offset.
* CVE-2023-35788: An issue in `fl_set_geneve_opt` in `net/sched/cls_flower.c` in the Linux kernel allows an out-of-bounds write in the flower classifier code via `TCA_FLOWER_KEY_ENC_OPTS_GENEVE` packets. This may result in denial of service or privilege escalation.
* CVE-2023-35823: A use-after-free was found in `saa7134_finidev` in `drivers/media/pci/saa7134/saa7134-core.c`.
* CVE-2023-35824: A use-after-free was found in `dm1105_remove` in `drivers/media/pci/dm1105/dm1105.c`.

Debian update 105+deb10u20

Comment 1 Quality Assurance

2023-08-01 15:01:17 CEST

--- mirror/ftp/pool/main/l/linux-latest/linux-latest_105+deb10u19.dsc
+++ apt/ucs_5.0-0-errata5.0-4/source/linux-latest_105+deb10u20.dsc
@@ -1,3 +1,7 @@
+105+deb10u20 [Tue, 25 Jul 2023 20:16:23 +0200] Ben Hutchings <benh@debian.org>:
+
+  * Update to 4.19.0-25
+
 105+deb10u19 [Wed, 03 May 2023 00:36:44 +0200] Ben Hutchings <benh@debian.org>:
 
   * Update to 4.19.0-24

<http://piuparts.knut.univention.de/5.0-4/#4365624239595468127>

Comment 2 Philipp Hahn

2023-08-14 10:51:30 CEST

https://errata.software-univention.de/#/?erratum=5.0x763

*** This bug has been marked as a duplicate of bug 56376 ***