Fill in remaining issue descriptions

author: Ben Hutchings <ben@decadent.org.uk> 2022-03-08 19:15:21 +0100
committer: Ben Hutchings <ben@decadent.org.uk> 2022-03-08 19:18:01 +0100
commit: 31bba68a747e739788cd6bf824800ae67dd01cef (patch)
tree: 71227854e7ec711b9ff789515d61d5de7e23a4cb /dsa-texts
parent: 69cbae8101899510b37acd41a9ad6f007af1078a (diff)
3 files changed, 63 insertions, 14 deletions
diff --git a/dsa-texts/4.19.232-1 b/dsa-texts/4.19.232-1
index f19c1dfbd..51a031d8f 100644
--- a/dsa-texts/4.19.232-1
+++ b/dsa-texts/4.19.232-1
@@ -252,7 +252,11 @@ CVE-2021-43976
 
 CVE-2021-44733
 
-    Description
+    A race condition was discovered in the Trusted Execution
+    Environment (TEE) subsystem for Arm processors, which could lead
+    to a use-after-free.  A local user permitted to access a TEE
+    device could exploit this for denial of service (memory corruption
+    or crash) or possibly for privilege escalation.
 
 CVE-2021-45095
 
@@ -271,13 +275,27 @@ CVE-2021-45480
     A memory leak flaw was discovered in the __rds_conn_create()
     function in the RDS (Reliable Datagram Sockets) protocol subsystem.
 
-CVE-2022-0001
+CVE-2022-0001 (INTEL-SA-00598)
+
+    Researchers at VUSec discovered that the Branch History Buffer in
+    Intel processors can be exploited to create information side-
+    channels with speculative execution.  This issue is similar to
+    Spectre variant 2, but requires additional mitigations on some
+    processors.
+
+    This can be exploited to obtain sensitive information from a
+    different security context, such as from user-space to the kernel,
+    or from a KVM guest to the kernel.
 
-    Description
+CVE-2022-0002 (INTEL-SA-00598)
 
-CVE-2022-0002
+    This is a similar issue to CVE-2022-0001, but covers exploitation
+    within a security context, such as from JIT-compiled code in a
+    sandbox to hosting code in the same process.
 
-    Description
+    This can be partly mitigated by disabling eBPF for unprivileged
+    users with the sysctl: kernel.unprivileged_bpf_disabled=2.  This
+    update does that by default.
 
 CVE-2022-0322
 
@@ -318,7 +336,10 @@ CVE-2022-0617
 
 CVE-2022-0644
 
-    Description
+    Hao Sun reported a missing check for file read permission in the
+    finit_module() and kexec_file_load() system calls.  The security
+    impact of this is unclear, since these system calls are usually
+    only available to the root user.
 
 CVE-2022-22942
 
diff --git a/dsa-texts/4.9.303-1 b/dsa-texts/4.9.303-1
index a0244ec6c..6a63c08ed 100644
--- a/dsa-texts/4.9.303-1
+++ b/dsa-texts/4.9.303-1
@@ -149,13 +149,27 @@ CVE-2021-45095
     It was discovered that the Phone Network protocol (PhoNet) driver
     has a reference count leak in the pep_sock_accept() function.
 
-CVE-2022-0001
+CVE-2022-0001 (INTEL-SA-00598)
 
-    Description
+    Researchers at VUSec discovered that the Branch History Buffer in
+    Intel processors can be exploited to create information side-
+    channels with speculative execution.  This issue is similar to
+    Spectre variant 2, but requires additional mitigations on some
+    processors.
 
-CVE-2022-0002
+    This can be exploited to obtain sensitive information from a
+    different security context, such as from user-space to the kernel,
+    or from a KVM guest to the kernel.
 
-    Description
+CVE-2022-0002 (INTEL-SA-00598)
+
+    This is a similar issue to CVE-2022-0001, but covers exploitation
+    within a security context, such as from JIT-compiled code in a
+    sandbox to hosting code in the same process.
+
+    This can be partly mitigated by disabling eBPF for unprivileged
+    users with the sysctl: kernel.unprivileged_bpf_disabled=2.  This
+    update does that by default.
 
 CVE-2022-0330
 
diff --git a/dsa-texts/5.10.103-1 b/dsa-texts/5.10.103-1
index 235524912..143995ee0 100644
--- a/dsa-texts/5.10.103-1
+++ b/dsa-texts/5.10.103-1
@@ -23,13 +23,27 @@ CVE-2020-36310
     which could lead to an infinite loop.  A malicious VM guest could
     exploit this to cause a denial of service.
 
-CVE-2022-0001
+CVE-2022-0001 (INTEL-SA-00598)
 
-    Description
+    Researchers at VUSec discovered that the Branch History Buffer in
+    Intel processors can be exploited to create information side-
+    channels with speculative execution.  This issue is similar to
+    Spectre variant 2, but requires additional mitigations on some
+    processors.
 
-CVE-2022-0002
+    This can be exploited to obtain sensitive information from a
+    different security context, such as from user-space to the kernel,
+    or from a KVM guest to the kernel.
 
-    Description
+CVE-2022-0002 (INTEL-SA-00598)
+
+    This is a similar issue to CVE-2022-0001, but covers exploitation
+    within a security context, such as from JIT-compiled code in a
+    sandbox to hosting code in the same process.
+
+    This is partly mitigated by disabling eBPF for unprivileged users
+    with the sysctl: kernel.unprivileged_bpf_disabled=2.  This is
+    already the default in Debian 11 "bullseye".
 
 CVE-2022-0487
author	Ben Hutchings <ben@decadent.org.uk>	2022-03-08 19:15:21 +0100
committer	Ben Hutchings <ben@decadent.org.uk>	2022-03-08 19:18:01 +0100
commit	31bba68a747e739788cd6bf824800ae67dd01cef (patch)
tree	71227854e7ec711b9ff789515d61d5de7e23a4cb /dsa-texts
parent	69cbae8101899510b37acd41a9ad6f007af1078a (diff)