From d6ae3a1e5ea4c448112aa2a19b1e838dc26fb2cd Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 28 Mar 2024 09:32:52 +0100
Subject: Add CVE-2023-52628

---
 active/CVE-2023-52628 | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 active/CVE-2023-52628

diff --git a/active/CVE-2023-52628 b/active/CVE-2023-52628
new file mode 100644
index 00000000..c01bc919
--- /dev/null
+++ b/active/CVE-2023-52628
@@ -0,0 +1,20 @@
+Description: netfilter: nftables: exthdr: fix 4-byte stack OOB write
+References:
+Notes:
+ carnil> Introduced in 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit
+ carnil> addressing")
+ carnil> 935b7f643018 ("netfilter: nft_exthdr: add TCP option matching")
+ carnil> 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks")
+ carnil> dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options").
+ carnil> Vulnerable versions: 4.1-rc1 4.11-rc1 5.3-rc1 5.10.198 5.14-rc1.
+Bugs:
+upstream: released (6.6-rc1) [fd94d9dadee58e09b49075240fe83423eb1dcd36]
+6.7-upstream-stable: N/A "Fixed before branching point"
+6.6-upstream-stable: N/A "Fixed before branching point"
+6.1-upstream-stable: released (6.1.54) [d9ebfc0f21377690837ebbd119e679243e0099cc]
+5.10-upstream-stable: released (5.10.198) [a7d86a77c33ba1c357a7504341172cc1507f0698]
+4.19-upstream-stable: needed
+sid: released (6.5.6-1)
+6.1-bookworm-security: released (6.1.55-1)
+5.10-bullseye-security: released (5.10.205-1)
+4.19-buster-security: needed
-- 
cgit v1.2.3