diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2022-04-22 14:22:49 +0200 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2022-04-22 14:22:49 +0200 |
commit | 5198bc8cd067a6097d0ce842d995b9956a4f1fc8 (patch) | |
tree | 3a3448d619a18e89c395da892a721603030125ca /retired | |
parent | 44fb7f682e9a7cafaab9005a78b58a6a9db5ba30 (diff) |
Retire two CVEs
Diffstat (limited to 'retired')
-rw-r--r-- | retired/CVE-2021-4095 | 19 | ||||
-rw-r--r-- | retired/CVE-2022-1015 | 26 |
2 files changed, 45 insertions, 0 deletions
diff --git a/retired/CVE-2021-4095 b/retired/CVE-2021-4095 new file mode 100644 index 000000000..d799e5ba5 --- /dev/null +++ b/retired/CVE-2021-4095 @@ -0,0 +1,19 @@ +Description: KVM: NULL pointer dereference in kvm_dirty_ring_get() in virt/kvm/dirty_ring.c +References: + https://lore.kernel.org/kvm/CAFcO6XOmoS7EacN_n6v4Txk7xL7iqRa2gABg3F7E3Naf5uG94g@mail.gmail.com/ + https://patchwork.kernel.org/project/kvm/patch/20211121125451.9489-12-dwmw2@infradead.org/ + https://bugzilla.redhat.com/show_bug.cgi?id=2031194 + https://www.openwall.com/lists/oss-security/2021/12/14/2 + https://www.openwall.com/lists/oss-security/2022/01/17/1 +Notes: + bwh> Introduced in 5.12 by commit 629b5348841a "KVM: x86/xen: update + bwh> wallclock region". +Bugs: +upstream: released (5.17-rc1) [55749769fe608fa3f4a075e42e89d237c8e37637] +5.10-upstream-stable: N/A "Vulnerability introduced later" +4.19-upstream-stable: N/A "Vulnerability introduced later" +4.9-upstream-stable: N/A "Vulnerability introduced later" +sid: released (5.17.3-1) +5.10-bullseye-security: N/A "Vulnerability introduced later" +4.19-buster-security: N/A "Vulnerability introduced later" +4.9-stretch-security: N/A "Vulnerability introduced later" diff --git a/retired/CVE-2022-1015 b/retired/CVE-2022-1015 new file mode 100644 index 000000000..d4f7fd769 --- /dev/null +++ b/retired/CVE-2022-1015 @@ -0,0 +1,26 @@ +Description: netfilter: nf_tables: validate registers coming from userspace. +References: + https://www.openwall.com/lists/oss-security/2022/03/28/5 +Notes: + carnil> Exploitable starting from commit 345023b0db3 ("netfilter: + carnil> nftables: add nft_parse_register_store() and use it") in + carnil> 5.12-rc1 but bug present since commit 49499c3e6e18 ("netfilter: + carnil> nf_tables: switch registers to 32 bit addressing") in 4.1-rc1 + carnil> Fixed in 5.17.1 for 5.17.y and 5.16.18 for 5.16.y. + bwh> If I understand this correctly, the issue is that nft_parse_register() + bwh> could return a very large register number that would lead to integer + bwh> overflow in the range check in nft_validate_register_{load,store}(). + bwh> This was not exploitable before commit 345023b0db3 because all in-tree + bwh> callers truncated the return value of nft_parse_register() to 8 bits + bwh> before passing it on to nft_validate_register_{load,store}(). + bwh> I also didn't find any out-of-tree modules using nft_parse_register() + bwh> through codesearch.debian.net or GitHub. +Bugs: +upstream: released (5.18-rc1) [6e1acfa387b9ff82cfc7db8cc3b6959221a95851] +5.10-upstream-stable: N/A "Vulnerability introduced later" +4.19-upstream-stable: N/A "Vulnerability introduced later" +4.9-upstream-stable: N/A "Vulnerability introduced later" +sid: released (5.16.18-1) +5.10-bullseye-security: N/A "Vulnerability introduced later" +4.19-buster-security: N/A "Vulnerability introduced later" +4.9-stretch-security: N/A "Vulnerability introduced later" |