diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2022-03-25 20:49:54 +0100 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2022-03-25 20:49:54 +0100 |
commit | 799d3c586b6df4d41fccd5fc2ff796a087c26329 (patch) | |
tree | 58859fea1691e870e5406a47cbb0c08c1e4582e6 /retired | |
parent | e3e90ffdadf6bb9b0e7ff277a38879d594f49edd (diff) |
Retire several CVEs
Diffstat (limited to 'retired')
56 files changed, 902 insertions, 0 deletions
diff --git a/retired/CVE-2020-29374 b/retired/CVE-2020-29374 new file mode 100644 index 000000000..888e85eae --- /dev/null +++ b/retired/CVE-2020-29374 @@ -0,0 +1,19 @@ +Description: gup: document and work around "COW can break either way" issue +References: + https://bugs.chromium.org/p/project-zero/issues/detail?id=2045 + https://lore.kernel.org/stable/20210401182125.171484-1-surenb@google.com/ + https://lore.kernel.org/stable/20211012015244.693594-1-surenb@google.com/ +Notes: + bwh> The issue is said to go back to "2.x kernels" + carnil> The backport for 4.9.y got reverted in 4.9.298, cf. + carnil> 6fbb8383884f2c89f4c7e2c8603b5ed1b90b815f, and then followed by + carnil> 0c29640bdecad332b9e2b884217c159f4aeb2556. +Bugs: +upstream: released (5.8-rc1) [17839856fd588f4ab6b789f482ed3ffd7c403e1f] +5.10-upstream-stable: N/A "Fixed before branch point" +4.19-upstream-stable: released (4.19.189) [5e24029791e809d641e9ea46a1f99806484e53fc], released (4.19.226) [294c7a9fb608c29a9e49010b515228e20ccbec8f] +4.9-upstream-stable: released (4.9.298) [0c29640bdecad332b9e2b884217c159f4aeb2556] +sid: released (5.7.6-1) +5.10-bullseye-security: N/A "Fixed before branching point" +4.19-buster-security: released (4.19.194-1), released (4.19.232-1) +4.9-stretch-security: released (4.9.272-1) [bugfix/all/gup-document-and-work-around-cow-can-break-either-wa.patch] diff --git a/retired/CVE-2020-36322 b/retired/CVE-2020-36322 new file mode 100644 index 000000000..5aa1831cf --- /dev/null +++ b/retired/CVE-2020-36322 @@ -0,0 +1,16 @@ +Description: fuse: fix bad inode +References: +Notes: + carnil> Note that this CVE relates as well to CVE-2021-28950, which is + carnil> assigned because of an initial incomplete fix for this CVE. + bwh> Commit message says this bug has been present since the + bwh> introduction of fuse. +Bugs: +upstream: released (5.11-rc1) [5d069dbe8aaf2a197142558b6fb2978189ba3454] +5.10-upstream-stable: released (5.10.6) [36cf9ae54b0ead0daab7701a994de3dcd9ef605d] +4.19-upstream-stable: released (4.19.226) [1e1bb4933f1faafc68db8e0ecd5838a65dd1aae9] +4.9-upstream-stable: released (4.9.298) [3a2f8823aa565cc67bdd00c4cd5e1d8ad81e8436] +sid: released (5.10.9-1) +5.10-bullseye-security: N/A "Fixed before branching point" +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.272-1) [bugfix/all/fuse-fix-bad-inode.patch] diff --git a/retired/CVE-2021-20317 b/retired/CVE-2021-20317 new file mode 100644 index 000000000..44ec69857 --- /dev/null +++ b/retired/CVE-2021-20317 @@ -0,0 +1,17 @@ +Description: lib/timerqueue: Rely on rbtree semantics for next timer +References: + https://bugzilla.redhat.com/show_bug.cgi?id=2005258 +Notes: + bwh> It's not totally clear what the bug is, but the code in 4.9 is + bwh> similar enough to 4.19 that I think it must also be affected. + bwh> For 4.9, commit cd9e61ed1eeb "rbtree: cache leftmost node internally" + bwh> needs to be applied first. +Bugs: +upstream: released (5.4-rc1) [511885d7061eda3eb1faf3f57dcc936ff75863f1] +5.10-upstream-stable: N/A "Fixed before branching point" +4.19-upstream-stable: released (4.19.210) [b9a1ac8e7c03fd09992352c7fb1a61cbbb9ad52b] +4.9-upstream-stable: released (4.9.298) [ef2e64035f074bfeef14c28347aaec0b486a9e9f] +sid: released (5.4.6-1) +5.10-bullseye-security: N/A "Fixed before branching point" +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.290-1) [bugfix/all/lib-timerqueue-rely-on-rbtree-semantics-for-next-tim.patch] diff --git a/retired/CVE-2021-20321 b/retired/CVE-2021-20321 new file mode 100644 index 000000000..ecbcf5587 --- /dev/null +++ b/retired/CVE-2021-20321 @@ -0,0 +1,13 @@ +Description: ovl: fix missing negative dentry check in ovl_rename() +References: + https://bugzilla.redhat.com/show_bug.cgi?id=2013242 +Notes: +Bugs: +upstream: released (5.15-rc5) [a295aef603e109a47af355477326bd41151765b6] +5.10-upstream-stable: released (5.10.73) [9763ffd4da217adfcbdcd519e9f434dfa3952fc3] +4.19-upstream-stable: released (4.19.211) [9d4969d8b5073d02059bae3f1b8d9a20cf023c55] +4.9-upstream-stable: released (4.9.287) [286f94453fb34f7bd6b696861c89f9a13f498721] +sid: released (5.14.12-1) +5.10-bullseye-security: released (5.10.84-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.290-1) diff --git a/retired/CVE-2021-20322 b/retired/CVE-2021-20322 new file mode 100644 index 000000000..d5917886c --- /dev/null +++ b/retired/CVE-2021-20322 @@ -0,0 +1,27 @@ +Description: new DNS Cache Poisoning Attack based on ICMP fragment needed packets replies +References: + https://bugzilla.redhat.com/show_bug.cgi?id=2014230 + https://lore.kernel.org/stable/YXwNmcIcmOYTRhG2@kroah.com/T/#m0104263473be2806725abb19a30d6288da622898 +Notes: + carnil> Backports for 4.19.y and 4.9.y seems incomplete for the time + carnil> beeing and only have the "ipv4: make exception cache less + carnil> predictible" patch. + bwh> Introduced for ipv4 in 3.6 by commit 4895c771c7f0 "ipv4: Add FIB nexthop + bwh> exceptions." + bwh> Introduced For ipv6 in 4.15 by commits 35732d01fe31 "ipv6: introduce a + bwh> hash table to store dst cache" and 2b760fcf5cfb "ipv6: hook up exception + bwh> table to store dst cache". + bwh> So for the 4.9 branches only ipv4 needs to be fixed. + carnil> For 4.19.y additionally required + carnil> ipv4: use siphash instead of Jenkins in fnhe_hashfun() + carnil> ipv6: use siphash in rt6_exception_hash() + carnil> ipv6: make exception cache less predictible +Bugs: +upstream: released (5.14) [4785305c05b25a242e5314cc821f54ade4c18810, 6457378fe796815c973f631a1904e147d6ee33b1], released (5.15-rc1) [a00df2caffed3883c341d5685f830434312e4a43, 67d6d681e15b578c1725bad8ad079e05d1c48a8e] +5.10-upstream-stable: released (5.10.62) ]dced8347a727528b388f04820f48166f1e651af6, beefd5f0c63a31a83bc5a99e6888af884745684b], released (5.10.65) [8692f0bb29927d13a871b198adff1d336a8d2d00, 5867e20e1808acd0c832ddea2587e5ee49813874] +4.19-upstream-stable: released (4.19.207) [3e6bd2b583f18da9856fc9741ffa200a74a52cba], released (4.19.215) [6e2856767eb1a9cfcfcd82136928037f04920e97, ad829847ad59af8e26a1f1c345716099abbc7a58, c6d0d68d6da68159948cad3d808d61bb291a0283] +4.9-upstream-stable: released (4.9.283) [f10ce783bcc4d8ea454563a7d56ae781640e7dcb] +sid: released (5.14.6-1) +5.10-bullseye-security: released (5.10.70-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.290-1) diff --git a/retired/CVE-2021-28711 b/retired/CVE-2021-28711 new file mode 100644 index 000000000..d5df51340 --- /dev/null +++ b/retired/CVE-2021-28711 @@ -0,0 +1,15 @@ +Description: Rogue backends can cause DoS of guests via high frequency events (blkfront) +References: + https://xenbits.xen.org/xsa/advisory-391.html + https://xenbits.xen.org/xsa/xsa391-linux-1.patch +Notes: + carnil> Fixed as well in 5.15.11 for 5.15.y. +Bugs: +upstream: released (5.16-rc7) [0fd08a34e8e3b67ec9bd8287ac0facf8374b844a] +5.10-upstream-stable: released (5.10.88) [8ac3b6ee7c9ff2df7c99624bb1235e2e55623825] +4.19-upstream-stable: released (4.19.222) [269d7124bcfad2558d2329d0fe603ca20b20d3f4] +4.9-upstream-stable: released (4.9.294) [25898389795bd85d8e1520c0c75c3ad906c17da7] +sid: released (5.15.15-1) +5.10-bullseye-security: released (5.10.92-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2021-28712 b/retired/CVE-2021-28712 new file mode 100644 index 000000000..de8b6230c --- /dev/null +++ b/retired/CVE-2021-28712 @@ -0,0 +1,15 @@ +Description: Rogue backends can cause DoS of guests via high frequency events (netfront) +References: + https://xenbits.xen.org/xsa/advisory-391.html + https://xenbits.xen.org/xsa/xsa391-linux-2.patch +Notes: + carnil> Fixed as well in 5.15.11 for 5.15.y. +Bugs: +upstream: released (5.16-rc7) [b27d47950e481f292c0a5ad57357edb9d95d03ba] +5.10-upstream-stable: released (5.10.88) [d31b3379179d64724d3bbfa87bd4ada94e3237de] +4.19-upstream-stable: released (4.19.222) [3559ca594f15fcd23ed10c0056d40d71e5dab8e5] +4.9-upstream-stable: released (4.9.294) [99120c8230fdd5e8b72a6e4162db9e1c0a61954a] +sid: released (5.15.15-1) +5.10-bullseye-security: released (5.10.92-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2021-28713 b/retired/CVE-2021-28713 new file mode 100644 index 000000000..842250798 --- /dev/null +++ b/retired/CVE-2021-28713 @@ -0,0 +1,15 @@ +Description: Rogue backends can cause DoS of guests via high frequency events (hvc_xen (console)) +References: + https://xenbits.xen.org/xsa/advisory-391.html + https://xenbits.xen.org/xsa/xsa391-linux-3.patch +Notes: + carnil> For 5.15.y fixed as well in 5.15.11. +Bugs: +upstream: released (5.16-rc7) [fe415186b43df0db1f17fa3a46275fd92107fe71] +5.10-upstream-stable: released (5.10.88) [8fa3a370cc2af858a9ba662ca4f2bd0917550563] +4.19-upstream-stable: released (4.19.222) [57e46acb3b48ea4e8efb1e1bea2e89e0c6cc43e2] +4.9-upstream-stable: released (4.9.294) [728389c21176b2095fa58e858d5ef1d2f2aac429] +sid: released (5.15.15-1) +5.10-bullseye-security: released (5.10.92-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2021-28714 b/retired/CVE-2021-28714 new file mode 100644 index 000000000..d6d8c5678 --- /dev/null +++ b/retired/CVE-2021-28714 @@ -0,0 +1,17 @@ +Description: Guest can force Linux netback driver to hog large amounts of kernel memory +References: + https://xenbits.xen.org/xsa/advisory-392.html + https://xenbits.xen.org/xsa/xsa392-linux-1.patch +Notes: + carnil> Commit fixes 1d5d48523900 ("xen-netback: require fewer guest Rx + carnil> slots when not using GSO") in 4.3-rc1. + carnil> Fixed as well in 5.15.11 for 5.15.y. +Bugs: +upstream: released (5.16-rc7) [6032046ec4b70176d247a71836186d47b25d1684] +5.10-upstream-stable: released (5.10.88) [525875c410df5d876b9615c44885ca7640aed6f2] +4.19-upstream-stable: released (4.19.222) [1de7644eac41981817fb66b74e0f82ca4477dc9d] +4.9-upstream-stable: released (4.9.294) [1f66dc775092e5a353e0155fc3aca5dabce77c63] +sid: released (5.15.15-1) +5.10-bullseye-security: released (5.10.92-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2021-28715 b/retired/CVE-2021-28715 new file mode 100644 index 000000000..273097922 --- /dev/null +++ b/retired/CVE-2021-28715 @@ -0,0 +1,17 @@ +Description: Guest can force Linux netback driver to hog large amounts of kernel memory +References: + https://xenbits.xen.org/xsa/advisory-392.html + https://xenbits.xen.org/xsa/xsa392-linux-2.patch +Notes: + carnil> Commit fixes f48da8b14d04 ("xen-netback: fix unlimited guest Rx + carnil> internal queue and carrier flapping"). + carnil> For 5.15.y fixed as well in 5.15.11. +Bugs: +upstream: released (5.16-rc7) [be81992f9086b230623ae3ebbc85ecee4d00a3d3] +5.10-upstream-stable: released (5.10.88) [88f20cccbeec9a5e83621df5cc2453b5081454dc] +4.19-upstream-stable: released (4.19.222) [c9f17e92917fd5786be872626a3928979ecc4c39] +4.9-upstream-stable: released (4.9.294) [b4226b387436315e7f57465c15335f4f4b5b075d] +sid: released (5.15.15-1) +5.10-bullseye-security: released (5.10.92-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2021-28950 b/retired/CVE-2021-28950 new file mode 100644 index 000000000..18e926a5e --- /dev/null +++ b/retired/CVE-2021-28950 @@ -0,0 +1,18 @@ +Description: fuse: fix live lock in fuse_iget() +References: +Notes: + carnil> Commit fixes 5d069dbe8aaf ("fuse: fix bad inode") which is only + carnil> present in 5.4.88, 5.10.6 and 5.11-rc1 so might not affect + carnil> older versions. + bwh> Commit 5d069dbe8aaf "fuse: fix bad inode" fixed another DoS issue, + bwh> so we'll need to backport both of them. + carnil> The 5d069dbe8aaf "fuse: fix bad inode" is CVE-2020-36322. +Bugs: +upstream: released (5.12-rc4) [775c5033a0d164622d9d10dd0f0a5531639ed3ed] +5.10-upstream-stable: released (5.10.25) [d955f13ea2120269319d6133d0dd82b66d1eeca3] +4.19-upstream-stable: released (4.19.226) [8a8908cb82568c71b672e83d834e8b59ccf75f8e] +4.9-upstream-stable: released (4.9.298) [fde32bbe9a540af28579da6480fc55cc50099ece] +sid: released (5.10.24-1) [bugfix/all/fuse-fix-live-lock-in-fuse_iget.patch] +5.10-bullseye-security: N/A "Fixed before branching point" +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.272-1) [bugfix/all/fuse-fix-live-lock-in-fuse_iget.patch] diff --git a/retired/CVE-2021-29264 b/retired/CVE-2021-29264 new file mode 100644 index 000000000..14e831ba4 --- /dev/null +++ b/retired/CVE-2021-29264 @@ -0,0 +1,15 @@ +Description: gianfar: fix jumbo packets+napi+rx overrun crash +References: +Notes: + bwh> Introduced in 4.8 by commit 6c389fc931bc "gianfar: fix size of + bwh> scatter-gathered frames". + bwh> Driver is not enabled by any Debian official config. +Bugs: +upstream: released (5.12-rc3) [d8861bab48b6c1fc3cdbcab8ff9d1eaea43afe7f] +5.10-upstream-stable: released (5.10.27) [b8bfda6e08b8a419097eea5a8e57671bc36f9939] +4.19-upstream-stable: released (4.19.184) [9943741c2792a7f1d091aad38f496ed6eb7681c4] +4.9-upstream-stable: released (4.9.298) [2cf34285e6eac396a180762c5504e2911df88c9a] +sid: released (5.10.28-1) +5.10-bullseye-security: N/A "Fixed before branching point" +4.19-buster-security: released (4.19.194-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2021-33033 b/retired/CVE-2021-33033 new file mode 100644 index 000000000..ce1e73191 --- /dev/null +++ b/retired/CVE-2021-33033 @@ -0,0 +1,22 @@ +Description: cipso,calipso: resolve a number of problems with the DOI refcounts +References: + https://sites.google.com/view/syzscope/kasan-use-after-free-read-in-cipso_v4_genopt + https://syzkaller.appspot.com/bug?id=96e7d345748d8814901c91cd92084ed04b46701e +Notes: + carnil> First commit required landed in 4.19.181, 5.10.24, 5.12-rc3. + carnil> Second one in 4.19.187, 5.10.30, 5.12-rc7. + bwh> The "second commit" in ieee802154 (1165affd4848) is fixing a + bwh> totally different issue. These components are part of Netlabel + bwh> which was only enabled by Debian official configs since version + bwh> 5.6.7-1. + carnil> The "second comit" is indeed a completely different issue, and + carnil> got CVE-2021-3659 assigned. +Bugs: +upstream: released (5.12-rc7) [ad5d07f4a9cd671233ae20983848874731102c08] +5.10-upstream-stable: released (5.10.24) [85178d76febd30a745b7d947dbd9751919d0fa5b] +4.19-upstream-stable: released (4.19.181) [a44af1c69737f9e64d5134c34eb9d5c4c2e04da1] +4.9-upstream-stable: released (4.9.298) [f49f0e65a95664b648e058aa923f651ec08dfeb7] +sid: released (5.10.24-1) +5.10-bullseye-security: N/A "Fixed before branching point" +4.19-buster-security: released (4.19.181-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2021-3640 b/retired/CVE-2021-3640 new file mode 100644 index 000000000..9442849a7 --- /dev/null +++ b/retired/CVE-2021-3640 @@ -0,0 +1,22 @@ +Description: UAF in sco_send_frame function +References: + https://www.openwall.com/lists/oss-security/2021/07/22/1 + https://bugzilla.suse.com/show_bug.cgi?id=1188172 + https://x-lore.kernel.org/all/883dc4b7-d1a1-3d31-a5a8-8fa1791084b6@i-love.sakura.ne.jp/ +Notes: + carnil> Prerequisites before the "last piece for fixing CVE-2021-3640" + carnil> are e04480920d1e ("Bluetooth: defer cleanup of resources in + carnil> hci_unregister_dev()") and 734bc5ff7831 ("Bluetooth: avoid + carnil> circular locks in sco_sock_connect"), ba316be1b6a0 ("Bluetooth: + carnil> schedule SCO timeouts with delayed_work"), 27c24fda62b6 + carnil> ("Bluetooth: switch to lock_sock in SCO") + carnil> For 5.15.y fixed as well in 5.15.3 +Bugs: +upstream: released (5.16-rc1) [99c23da0eed4fd20cae8243f2b51e10e66aa0951] +5.10-upstream-stable: released (5.10.80) [4dfba42604f08a505f1a1efc69ec5207ea6243de] +4.19-upstream-stable: released (4.19.218) [c1c913f797f3d2441310182ad75b7bd855a327ff] +4.9-upstream-stable: released (4.9.291) [9bbe312ebea40c9b586c2b07a0d0948ff418beca] +sid: released (5.15.3-1) +5.10-bullseye-security: released (5.10.84-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2021-3744 b/retired/CVE-2021-3744 new file mode 100644 index 000000000..47438db16 --- /dev/null +++ b/retired/CVE-2021-3744 @@ -0,0 +1,16 @@ +Description: crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd() +References: + https://bugzilla.redhat.com/show_bug.cgi?id=2000627 + https://www.openwall.com/lists/oss-security/2021/09/14/1 +Notes: + bwh> Introduced in 4.12 by commit 36cf515b9bbe "crypto: ccp - Enable support + bwh> for AES GCM on v5 CCPs". +Bugs: +upstream: released (5.15-rc4) [505d9dcb0f7ddf9d075e729523a33d38642ae680] +5.10-upstream-stable: released (5.10.71) [17ccc64e4fa5d3673528474bfeda814d95dc600a] +4.19-upstream-stable: released (4.19.209) [710be7c42d2f724869e5b18b21998ceddaffc4a9] +4.9-upstream-stable: N/A "Vulnerability introduced later" +sid: released (5.14.12-1) +5.10-bullseye-security: released (5.10.84-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: N/A "Vulnerability introduced later" diff --git a/retired/CVE-2021-3752 b/retired/CVE-2021-3752 new file mode 100644 index 000000000..dd73c6773 --- /dev/null +++ b/retired/CVE-2021-3752 @@ -0,0 +1,18 @@ +Description: UAF in bluetooth +References: + https://www.openwall.com/lists/oss-security/2021/09/15/4 + https://bugzilla.suse.com/show_bug.cgi?id=1190023 + https://lore.kernel.org/lkml/20210714031733.1395549-1-bobo.shaobowang@huawei.com/ +Notes: + carnil> With the presence of 3af70b39fa2d ("Bluetooth: check for zapped + carnil> sk before connecting") in 5.13-rc1 (and 5.10.38, 4.19.191) this + carnil> bug is not easy to trigger itself. +Bugs: +upstream: released (5.16-rc1) [1bff51ea59a9afb67d2dd78518ab0582a54a472c] +5.10-upstream-stable: released (5.10.80) [c10465f6d6208db2e45a6dac1db312b9589b2583] +4.19-upstream-stable: released (4.19.218) [72bb30165337b7bce77578ad151fbfab6c8e693c] +4.9-upstream-stable: released (4.9.291) [d19ea7da0eeb61be28ec05d8b8bddec3dde71610] +sid: released (5.15.3-1) +5.10-bullseye-security: released (5.10.84-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2021-3760 b/retired/CVE-2021-3760 new file mode 100644 index 000000000..fbf47f7e7 --- /dev/null +++ b/retired/CVE-2021-3760 @@ -0,0 +1,18 @@ +Description: nfc: nci: fix the UAF of rf_conn_info object +References: + https://www.openwall.com/lists/oss-security/2021/10/26/2 +Notes: + carnil> Fixed as well in 5.14.15 for 5.14.y. + bwh> Introduced in 4.0 by commits 12bdf27d46c9 "NFC: nci: Add reference to + bwh> the RF logical connection" and 15d4a8da0e44 "NFC: nci: Move logical + bwh> connection structure allocation". + carnil> CONFIG_NFC_NCI is not set in Debian. +Bugs: +upstream: released (5.15-rc6) [1b1499a817c90fd1ce9453a2c98d2a01cca0e775] +5.10-upstream-stable: released (5.10.76) [77c0ef979e32b8bc22f36a013bab77cd37e31530] +4.19-upstream-stable: released (4.19.214) [1ac0d736c8ae9b59ab44e4e80ad73c8fba5c6132] +4.9-upstream-stable: released (4.9.288) [8a44904ce83ebcb1281b04c8d37ad7f8ab537a3d] +sid: released (5.14.16-1) +5.10-bullseye-security: released (5.10.84-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.290-1) diff --git a/retired/CVE-2021-3764 b/retired/CVE-2021-3764 new file mode 100644 index 000000000..437f5019e --- /dev/null +++ b/retired/CVE-2021-3764 @@ -0,0 +1,16 @@ +Description: DoS in ccp_run_aes_gcm_cmd() function +References: + https://bugzilla.redhat.com/show_bug.cgi?id=1997467 +Notes: + carnil> Patch for CVE-2021-3744 contains fix as well for this issue. + bwh> Introduced in 4.12 by commit 36cf515b9bbe "crypto: ccp - Enable support + bwh> for AES GCM on v5 CCPs". +Bugs: +upstream: released (5.15-rc4) [505d9dcb0f7ddf9d075e729523a33d38642ae680] +5.10-upstream-stable: released (5.10.71) [17ccc64e4fa5d3673528474bfeda814d95dc600a] +4.19-upstream-stable: released (4.19.209) [710be7c42d2f724869e5b18b21998ceddaffc4a9] +4.9-upstream-stable: N/A "Vulnerability introduced later" +sid: released (5.14.12-1) +5.10-bullseye-security: released (5.10.84-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: N/A "Vulnerability introduced later" diff --git a/retired/CVE-2021-39685 b/retired/CVE-2021-39685 new file mode 100644 index 000000000..5229b8716 --- /dev/null +++ b/retired/CVE-2021-39685 @@ -0,0 +1,14 @@ +Description: Linux Kernel USB Gadget buffer overflow +References: + https://www.openwall.com/lists/oss-security/2021/12/15/4 +Notes: + carnil> Fixed as well in 5.15.8 for 5.15.y. +Bugs: +upstream: released (5.16-rc5) [153a2d7e3350cc89d406ba2d35be8793a64c2038, 86ebbc11bb3f60908a51f3e41a17e3f477c2eaa3] +5.10-upstream-stable: released (5.10.85) [7193ad3e50e596ac2192531c58ba83b9e6d2444b, e4de8ca013f06ad4a0bf40420a291c23990e4131] +4.19-upstream-stable: released (4.19.221) [13e45e7a262dd96e8161823314679543048709b9, 32de5efd483db68f12233fbf63743a2d92f20ae4] +4.9-upstream-stable: released (4.9.293) [d2ca6859ea96c6d4c6ad3d6873a308a004882419, e4de8ca013f06ad4a0bf40420a291c23990e4131] +sid: released (5.15.5-2) [bugfix/all/USB-gadget-detect-too-big-endpoint-0-requests.patch, bugfix/all/USB-gadget-zero-allocate-endpoint-0-buffers.patch] +5.10-bullseye-security: released (5.10.92-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2021-39686 b/retired/CVE-2021-39686 new file mode 100644 index 000000000..866327d4d --- /dev/null +++ b/retired/CVE-2021-39686 @@ -0,0 +1,13 @@ +Description: +References: + https://source.android.com/security/bulletin/2022-03-01 +Notes: +Bugs: +upstream: released (5.16-rc1) [29bc22ac5e5bc63275e850f0c8fc549e3d0e306b, 52f88693378a58094c538662ba652aff0253c4fe, 4d5b5539742d2554591751b4248b0204d20dcc9d, c21a80ca0684ec2910344d72556c816cb8940c01] +5.10-upstream-stable: released (5.10.80) [bd9cea41ac6e08f615030dea28b23e12b7a2674f, 0d9f4ae7cd6f5283dd0e343265268c695ef592b0, afbec52fbce006a775edb21f87ccae713bc0e7d6], released (5.10.83) [4402cf0402526f7c5befa97481be13b131797838] +4.19-upstream-stable: released (4.19.218) [5d40061285b81a7e213dc9b37acc4a0545eedf32, e82f3f9638f17d58e9a217bce127e2376aefcb9d], released (4.19.219) [c3b9f29fca6682550d731c80745b421415c1e0af] +4.9-upstream-stable: released (4.9.291) [443fc43d2fdbf55be7aa86faae1f7655e761e683, 22d4a6dacee058b58640ef8109b0c8fc5d1b80e2], released (4.9.292) [404fb1097298690b1d7d1c59eab806bbdd757267] +sid: released (5.15.15-1) +5.10-bullseye-security: released (5.10.84-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2021-39698 b/retired/CVE-2021-39698 new file mode 100644 index 000000000..1cd1d5fb3 --- /dev/null +++ b/retired/CVE-2021-39698 @@ -0,0 +1,13 @@ +Description: +References: + https://source.android.com/security/bulletin/2022-03-01 +Notes: +Bugs: +upstream: released (5.16-rc5) [42288cb44c4b5fff7653bc392b583a2b8bd6a8c0, a880b28a71e39013e357fd3adccd1d8a31bc69a8, 9537bae0da1f8d1e2361ab6d0479e8af7824e160, 363bee27e25804d8981dd1c025b4ad49dc39c530, 50252e4b5e989ce64555c7aef7516bdefc2fea72] +5.10-upstream-stable: released (5.10.85) [8e04c8397bf98235b1aa41153717de7a05e652a2, 9f3acee7eac8d8690134b09ba55e2c12164d24ae, fc2f636ffc446d8e9530e441897f877922269051, e4d19740bccab792f16c7ca6fd1f9aea06193cb2, 47ffefd88abfffe8a040bcc1dd0554d4ea6f7689] +4.19-upstream-stable: released (4.19.221) [8dd7c46a59756bdc29cb9783338b899cd3fb4b83, 32288f504035b6c359cc33ee615f74f14be2e38a, f226fdd855b7d9c1f2a6e878d82eb3e1fbc880e9, 580c7e023303ce3a187adcaa40868bfc740725d2, 321fba81ec034f88aea4898993c1bf15605c023f] +4.9-upstream-stable: released (4.9.293) [0e92a7e47a0411d5208990c83a3d200515e314e8, 0487ea896e62b5a90a81ac6e73c35e595d77f499, 5ecb4e93d70a21f3b7094029986ef0c3e321f56c] +sid: released (5.15.15-1) +5.10-bullseye-security: released (5.10.92-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2021-39714 b/retired/CVE-2021-39714 new file mode 100644 index 000000000..52109ef29 --- /dev/null +++ b/retired/CVE-2021-39714 @@ -0,0 +1,16 @@ +Description: +References: + https://source.android.com/security/bulletin/pixel/2022-03-01 +Notes: + carnil> ion driver removing from the tree in 5.11-rc1. Earlier the + carnil> affected code was removed with e3b914bc7eb6 ("staging: android: + carnil> ion: Drop ion_map_kernel interface") in 4.12-rc1. +Bugs: +upstream: released (4.12-rc1) [e3b914bc7eb6bcecc5b597ee6e31fc40442c291f] +5.10-upstream-stable: N/A "Fixed before branching point" +4.19-upstream-stable: N/A "Fixed before branching point" +4.9-upstream-stable: released (4.9.292) [16b34e53eaadda6cbb1f0452fd99700c44db23be] +sid: released (4.12.6-1) +5.10-bullseye-security: N/A "Fixed before branching point" +4.19-buster-security: N/A "Fixed before branching point" +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2021-4002 b/retired/CVE-2021-4002 new file mode 100644 index 000000000..307fe96a4 --- /dev/null +++ b/retired/CVE-2021-4002 @@ -0,0 +1,16 @@ +Description: hugetlbfs: flush TLBs correctly after huge_pmd_unshare +References: + https://www.openwall.com/lists/oss-security/2021/11/25/1 +Notes: + carnil> For 5.16-rc1 onwards only additionally there is 13e4ad2ce8df + carnil> ("hugetlbfs: flush before unlock on + carnil> move_hugetlb_page_tables()") to be applied. +Bugs: +upstream: released (5.16-rc3) [a4a118f2eead1d6c49e00765de89878288d4b890] +5.10-upstream-stable: released (5.10.82) [40bc831ab5f630431010d1ff867390b07418a7ee] +4.19-upstream-stable: released (4.19.219) [b0313bc7f5fbb6beee327af39d818ffdc921821a] +4.9-upstream-stable: released (4.9.292) [8e80bf5d001594b037de04fb4fe89f34cfbcb3ba] +sid: released (5.15.5-1) +5.10-bullseye-security: released (5.10.84-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2021-4083 b/retired/CVE-2021-4083 new file mode 100644 index 000000000..7bea8215c --- /dev/null +++ b/retired/CVE-2021-4083 @@ -0,0 +1,15 @@ +Description: fget: check that the fd still exists after getting a ref to it +References: + https://bugzilla.redhat.com/show_bug.cgi?id=2029923 + https://bugs.chromium.org/p/project-zero/issues/detail?id=2247 +Notes: + carnil> Fixed as weil in 5.15.7 for 5.15.y. +Bugs: +upstream: released (5.16-rc4) [054aa8d439b9185d4f5eb9a90282d1ce74772969] +5.10-upstream-stable: released (5.10.84) [4baba6ba56eb91a735a027f783cc4b9276b48d5b] +4.19-upstream-stable: released (4.19.220) [8bf31f9d9395b71af3ed33166a057cd3ec0c59da] +4.9-upstream-stable: released (4.9.292) [a043f5a600052dc93bc3d7a6a2c1592b6ee77482] +sid: released (5.15.5-2) [bugfix/all/fget-check-that-the-fd-still-exists-after-getting-a-.patch] +5.10-bullseye-security: released (5.10.84-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2021-4135 b/retired/CVE-2021-4135 new file mode 100644 index 000000000..afb593ef9 --- /dev/null +++ b/retired/CVE-2021-4135 @@ -0,0 +1,17 @@ +Description: netdevsim: Zero-initialize memory for new map's value in function nsim_bpf_map_alloc +References: + https://bugzilla.redhat.com/show_bug.cgi?id=2026786 +Notes: + carnil> Commit fixes 395cacb5f1a0 ("netdevsim: bpf: support fake map + carnil> offload") in 4.16-rc1. + carnil> Fixed as well in 5.15.11 for 5.15.y. + carnil> CONFIG_NETDEVSIM is not set is not set in Debian +Bugs: +upstream: released (5.16-rc6) [481221775d53d6215a6e5e9ce1cce6d2b4ab9a46] +5.10-upstream-stable: released (5.10.88) [1a34fb9e2bf3029f7c0882069d67ff69cbd645d8] +4.19-upstream-stable: released (4.19.222) [d861443c4dc88650eed113310d933bd593d37b23] +4.9-upstream-stable: N/A "Vulnerable code introduced later" +sid: released (5.15.15-1) +5.10-bullseye-security: released (5.10.92-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: N/A "Vulnerable code introduced later" diff --git a/retired/CVE-2021-4155 b/retired/CVE-2021-4155 new file mode 100644 index 000000000..932a7f337 --- /dev/null +++ b/retired/CVE-2021-4155 @@ -0,0 +1,15 @@ +Description: xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocate +References: + https://bugzilla.redhat.com/show_bug.cgi?id=2034813 + https://www.openwall.com/lists/oss-security/2022/01/10/1 +Notes: + carnil> Fixed as well in 5.15.14 for 5.15.y. +Bugs: +upstream: released (5.16) [983d8e60f50806f90534cc5373d0ce867e5aaf79] +5.10-upstream-stable: released (5.10.91) [16d8568378f9ee2d1e69216d39961aa72710209f] +4.19-upstream-stable: released (4.19.225) [1c3564fca0e7b8c9e96245a2cb35e198b036ee9a] +4.9-upstream-stable: released (4.9.297) [19e3d9a26f28f432ae89acec22ec47b2a72a502c] +sid: released (5.15.15-1) +5.10-bullseye-security: released (5.10.92-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2021-41864 b/retired/CVE-2021-41864 new file mode 100644 index 000000000..baa295947 --- /dev/null +++ b/retired/CVE-2021-41864 @@ -0,0 +1,17 @@ +Description: bpf: Fix integer overflow in prealloc_elems_and_freelist() +References: + https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=30e29a9a2bc6a4888335a6ede968b75cd329657a + https://lore.kernel.org/bpf/728b238e-a481-eb50-98e9-b0f430ab01e7@gmail.com/ +Notes: + carnil> Commit fixes 557c0c6e7df8 ("bpf: convert stackmap to pre- + carnil> allocation"). + carnil> Fixed as well in 5.14.12 in the 5.14.y series. +Bugs: +upstream: released (5.15-rc5) [30e29a9a2bc6a4888335a6ede968b75cd329657a] +5.10-upstream-stable: released (5.10.73) [064faa8e8a9b50f5010c5aa5740e06d477677a89] +4.19-upstream-stable: released (4.19.211) [078cdd572408176a3900a6eb5a403db0da22f8e0] +4.9-upstream-stable: released (4.9.287) [4fd6663eb01bc3c73143cd27fefd7b8351bc6aa6] +sid: released (5.14.12-1) +5.10-bullseye-security: released (5.10.84-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.290-1) diff --git a/retired/CVE-2021-4202 b/retired/CVE-2021-4202 new file mode 100644 index 000000000..95ef54c08 --- /dev/null +++ b/retired/CVE-2021-4202 @@ -0,0 +1,14 @@ +Description: Race condition in nci_request() leads to use after free while the device is getting removed +References: + https://bugzilla.redhat.com/show_bug.cgi?id=2036682 +Notes: + carnil> CONFIG_NFC_NCI not enabled in Debian. +Bugs: +upstream: released (5.16-rc2) [86cdf8e38792545161dbe3350a7eced558ba4d15, 48b71a9e66c2eab60564b1b1c85f4928ed04e406] +5.10-upstream-stable: released (5.10.82) [cb14b196d991c864ed2d1b6e79d68a7ce38e6538, 34e54703fb0fdbfc0a3cfc065d71e9a8353d3ac9] +4.19-upstream-stable: released (4.19.218) [62be2b1e7914b7340281f09412a7bbb62e6c8b67], (4.19.219) 2350cffd71e74bf81dedc989fdec12aebe89a4a5] +4.9-upstream-stable: released (4.9.291) [4a59a3681158a182557c75bacd00d184f9b2a8f5], (4.9.292) [57c076e64ab55adf556cc515914564d61979f7c2] +sid: released (5.15.5-1) +5.10-bullseye-security: released (5.10.84-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2021-4203 b/retired/CVE-2021-4203 new file mode 100644 index 000000000..ec6f6bc46 --- /dev/null +++ b/retired/CVE-2021-4203 @@ -0,0 +1,17 @@ +Description: af_unix: fix races in sk_peer_pid and sk_peer_cred accesses +References: + https://bugzilla.redhat.com/show_bug.cgi?id=2036934 + https://lore.kernel.org/netdev/20210929225750.2548112-1-eric.dumazet@gmail.com/T/ + https://bugs.chromium.org/p/project-zero/issues/detail?id=2230 +Notes: + carnil> Commit fixes 109f6e39fa07 ("af_unix: Allow SO_PEERCRED to work + carnil> across namespaces."). +Bugs: +upstream: released (5.15-rc4) [35306eb23814444bd4021f8a1c3047d3cb0c8b2b] +5.10-upstream-stable: released (5.10.71) [3db53827a0e9130d9e2cbe3c3b5bca601caa4c74] +4.19-upstream-stable: released (4.19.209) [0512a9aede6e4417c4fa6e0042a7ca8bc7e06b86] +4.9-upstream-stable: released (4.9.286) [09818f629bafbe20e24bac919019853ea3ac5ca4] +sid: released (5.14.12-1) +5.10-bullseye-security: released (5.10.84-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.290-1) diff --git a/retired/CVE-2021-42739 b/retired/CVE-2021-42739 new file mode 100644 index 000000000..7dfd3bdf4 --- /dev/null +++ b/retired/CVE-2021-42739 @@ -0,0 +1,16 @@ +Description: media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt() +References: + https://bugzilla.redhat.com/show_bug.cgi?id=1951739 + https://www.openwall.com/lists/oss-security/2021/04/20/1 + https://lore.kernel.org/linux-media/YHaulytonFcW+lyZ@mwanda/ + https://lore.kernel.org/linux-media/20210913152302.76d57784@coco.lan/ +Notes: +Bugs: +upstream: released (5.16-rc1) [35d2969ea3c7d32aee78066b1f3cf61a0d935a4e] +5.10-upstream-stable: released (5.10.78) [d7fc85f6104259541ec136199d3bf7c8a736613d] +4.19-upstream-stable: released (4.19.216) [53ec9dab4eb0a8140fc85760fb50effb526fe219] +4.9-upstream-stable: released (4.9.299) [1795af6435fa5f17ced2d34854fd4871e0780092] +sid: released (5.14.16-1) [bugfix/all/media-firewire-firedtv-avc-fix-a-buffer-overflow-in-.patch] +5.10-bullseye-security: released (5.10.84-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.290-1) [bugfix/all/media-firewire-firedtv-avc-fix-a-buffer-overflow-in-.patch] diff --git a/retired/CVE-2021-43389 b/retired/CVE-2021-43389 new file mode 100644 index 000000000..bd1b7e471 --- /dev/null +++ b/retired/CVE-2021-43389 @@ -0,0 +1,17 @@ +Description: isdn: cpai: check ctr->cnr to avoid array index out of bound +References: + https://www.openwall.com/lists/oss-security/2021/10/19/1 + https://lore.kernel.org/netdev/CAFcO6XOvGQrRTaTkaJ0p3zR7y7nrAWD79r48=L_BbOyrK9X-vA@mail.gmail.com/ +Notes: + carnil> Fixed as well in 5.14.15 in 5.14.y. + bwh> This seems to really be a bug in the Bluetooth CMTP subsystem, which has + bwh> been present since that was added in Linux 2.6.2. +Bugs: +upstream: released (5.15-rc6) [1f3e2e97c003f80c4b087092b225c8787ff91e4d] +5.10-upstream-stable: released (5.10.76) [7f221ccbee4ec662e2292d490a43ce6c314c4594] +4.19-upstream-stable: released (4.19.214) [7d91adc0ccb060ce564103315189466eb822cc6a] +4.9-upstream-stable: released (4.9.288) [24219a977bfe3d658687e45615c70998acdbac5a] +sid: released (5.14.16-1) +5.10-bullseye-security: released (5.10.84-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.290-1) diff --git a/retired/CVE-2021-43976 b/retired/CVE-2021-43976 new file mode 100644 index 000000000..8c5e07d0b --- /dev/null +++ b/retired/CVE-2021-43976 @@ -0,0 +1,15 @@ +Description: mwifiex_usb: Fix skb_over_panic in mwifiex_usb_recv +References: + https://patchwork.kernel.org/project/linux-wireless/patch/YX4CqjfRcTa6bVL+@Zekuns-MBP-16.fios-router.home/ + https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next.git/commit/?id=04d80663f67ccef893061b49ec8a42ff7045ae84 +Notes: + carnil> Fixed as well in 5.15.17 for 5.15.y. +Bugs: +upstream: released (5.17-rc1) [04d80663f67ccef893061b49ec8a42ff7045ae84] +5.10-upstream-stable: released (5.10.94) [6036500fdf77caaca9333003f78d25a3d61c4e40] +4.19-upstream-stable: released (4.19.226) [2f4b037bf6e8c663a593b8149263c5b6940c7afd] +4.9-upstream-stable: released (4.9.298) [b233d7395cd104398dd83f130df5f0d57036c95e] +sid: released (5.15.15-2) [bugfix/x86/mwifiex-Fix-skb_over_panic-in-mwifiex_usb_recv.patch] +5.10-bullseye-security: released (5.10.92-2) [bugfix/x86/mwifiex-Fix-skb_over_panic-in-mwifiex_usb_recv.patch] +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2021-44733 b/retired/CVE-2021-44733 new file mode 100644 index 000000000..d4431c920 --- /dev/null +++ b/retired/CVE-2021-44733 @@ -0,0 +1,14 @@ +Description: tee: handle lookup of shm with reference count 0 +References: + https://bugzilla.redhat.com/show_bug.cgi?id=2030747 + https://lore.kernel.org/lkml/20211214123540.1789434-1-jens.wiklander@linaro.org/ +Notes: +Bugs: +upstream: released (5.16-rc7) [dfd0743f1d9ea76931510ed150334d571fbab49d] +5.10-upstream-stable: released (5.10.89) [c05d8f66ec3470e5212c4d08c46d6cb5738d600d] +4.19-upstream-stable: released (4.19.224) [b4a661b4212b8fac8853ec3b68e4a909dccc88a1] +4.9-upstream-stable: N/A "Vulnerable code not present" +sid: released (5.15.15-1) +5.10-bullseye-security: released (5.10.92-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: N/A "Vulnerable code not present" diff --git a/retired/CVE-2021-45095 b/retired/CVE-2021-45095 new file mode 100644 index 000000000..e52acc95c --- /dev/null +++ b/retired/CVE-2021-45095 @@ -0,0 +1,14 @@ +Description: phonet: refcount leak in pep_sock_accep +References: + https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=bcd0f93353326954817a4f9fa55ec57fb38acbb0 +Notes: + carnil> Fixed as well in 5.15.14 for 5.15.y. +Bugs: +upstream: released (5.16-rc6) [bcd0f93353326954817a4f9fa55ec57fb38acbb0] +5.10-upstream-stable: released (5.10.91) [4f260ea5537db35d2eeec9bca78a74713078a544] +4.19-upstream-stable: released (4.19.225) [4dece2760af408ad91d6e43afc485d20386c2885] +4.9-upstream-stable: released (4.9.297) [3bae29ecb2909c46309671090311230239f1bdd7] +sid: released (5.15.15-1) +5.10-bullseye-security: released (5.10.92-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2021-45480 b/retired/CVE-2021-45480 new file mode 100644 index 000000000..f4c59a49a --- /dev/null +++ b/retired/CVE-2021-45480 @@ -0,0 +1,15 @@ +Description: rds: memory leak in __rds_conn_create() +References: +Notes: + carnil> commit fixes aced3ce57cd3 ("RDS tcp loopback connection can + carnil> hang") in 5.15-rc4 (but was backported to 5.10.44, 4.19.195 in + carnil> particular). Fixed as well in 5.15.11 for 5.15.y. +Bugs: +upstream: released (5.16-rc6) [5f9562ebe710c307adc5f666bf1a2162ee7977c0] +5.10-upstream-stable: released (5.10.88) [74dc97dfb276542f12746d706abef63364d816bb] +4.19-upstream-stable: released (4.19.222) [1ed173726c1a0082e9d77c7d5a85411e85bdd983] +4.9-upstream-stable: N/A "Vulnerable code not present" +sid: released (5.15.15-1) +5.10-bullseye-security: released (5.10.92-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: N/A "Vulnerable code not present" diff --git a/retired/CVE-2021-45868 b/retired/CVE-2021-45868 new file mode 100644 index 000000000..fd0e3b140 --- /dev/null +++ b/retired/CVE-2021-45868 @@ -0,0 +1,15 @@ +Description: +References: + https://bugzilla.kernel.org/show_bug.cgi?id=214655 + https://www.openwall.com/lists/oss-security/2022/03/17/1 + https://www.openwall.com/lists/oss-security/2022/03/17/2 +Notes: +Bugs: +upstream: released (5.16-rc1) [9bf3d20331295b1ecb81f4ed9ef358c51699a050] +5.10-upstream-stable: released (5.10.80) [ceeb0a8a8716a1c72af3fa4d4f98c3aced32b037] +4.19-upstream-stable: released (4.19.218) [e5222c87dc441dcc8a66e93cb3fd34dfff03d3ec] +4.9-upstream-stable: released (4.9.291) [f7dd331a896700728492e02c20a69e53221cd7a4] +sid: released (5.15.3-1) +5.10-bullseye-security: released (5.10.84-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2022-0001 b/retired/CVE-2022-0001 new file mode 100644 index 000000000..5cf3b1ea9 --- /dev/null +++ b/retired/CVE-2022-0001 @@ -0,0 +1,15 @@ +Description: Sharing of branch predictor selectors between contexts on Intel CPUs +References: + https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00598.html + https://github.com/vusec/bhi-spectre-bhb +Notes: + bwh> A.k.a. "Spectre BHB". Details to be published in INTEL-SA-00598 +Bugs: +upstream: released (5.17-rc8) [d45476d9832409371537013ebdd8dc1a7781f97a, 1e19da8522c81bf46b335f84137165741e0d82b7, 5ad3eb1132453b9795ce5fd4572b1c18b292cca9, 44a3918c8245ab10c6c9719dd12e7a8d291980d8, 244d00b5dd4755f8df892c86cab35fb2cfd4f14b, e9b6013a7ce31535b04b02ba99babefe8a8599fa, eafd987d4a82c7bb5aa12f0e3b4f8f3dea93e678, 0de05d056afdb00eca8c7bbb0c79a3438daf700c] +5.10-upstream-stable: released (5.10.105) [f38774bb6e231d647d40ceeb8ddf9082eabde667, a6a119d647ad1f73067d3cffb43104df3f920bcc, 071e8b69d7808d96f388d7c5ed606e75fd3d518d, afc2d635b5e18e2b33116d8e121ee149882e33eb, 2fdf67a1d215574c31b1a716f80fa0fdccd401d7, e335384560d1e106b609e8febd7e0427075a8938, cc9e3e55bde71b2fac1494f503d5ffc560c7fb8d, d04937ae94903087279e4a016b7741cdee59d521] +4.19-upstream-stable: released (4.19.234) [25440a8c77dd2fde6a8e9cfc0c616916febf408e, 3f66bedb96ff4c064a819e68499f79b38297ba26, 7af95ef3ec6248696300fce5c68f6c8c4f50e4a4, 995629e1d8e6751936c6e2b738f70b392b0461de, d3cb3a6927222268a10b2f12dfb8c9444f7cc39e, c034d344e733a3ac574dd09e39e911a50025c607, 8bfdba77595aee5c3e83ed1c9994c35d6d409605, 9711b12a3f4c0fc73dd257c1e467e6e42155a5f1] +4.9-upstream-stable: released (4.9.306) [a771511caa8e31cb5cac4fa39165ebbca3e62795, d0ba50275860b456ff570edf3dcc2db5d2eb9eb8, f9238d33710d74ac3dd668abaa53b2274f8e6fe6, 6481835a9a5b74e349e5c20ae8a9cb10a2e907fa, b6a1aec08a84ccb331ce526c051df074150cf3c5, 0db1c4307aded2c5e618654f9341a249e0c1051f, 8edabefdc13294a9b15671937d165b948cf34d69, 0753760184745250e39018bb25ba77557390fe91] +sid: released (5.16.12-1) [bugfix/x86/bhb/0001-x86-speculation-Rename-RETPOLINE_AMD-to-RETPOLINE_LF.patch, bugfix/x86/bhb/0002-x86-speculation-Add-eIBRS-Retpoline-options.patch, bugfix/x86/bhb/0003-Documentation-hw-vuln-Update-spectre-doc.patch, bugfix/x86/bhb/0004-x86-speculation-Include-unprivileged-eBPF-status-in-.patch, bugfix/x86/bhb/0005-x86-speculation-Use-generic-retpoline-by-default-on-.patch, bugfix/x86/bhb/0006-x86-speculation-Update-link-to-AMD-speculation-white.patch, bugfix/x86/bhb/0007-x86-speculation-Warn-about-Spectre-v2-LFENCE-mitigat.patch, bugfix/x86/bhb/0008-x86-speculation-Warn-about-eIBRS-LFENCE-Unprivileged.patch] +5.10-bullseye-security: released (5.10.103-1) [bugfix/x86/bhb/0002-x86-speculation-Rename-RETPOLINE_AMD-to-RETPOLINE_LF.patch, bugfix/x86/bhb/0003-x86-speculation-Add-eIBRS-Retpoline-options.patch, bugfix/x86/bhb/0004-Documentation-hw-vuln-Update-spectre-doc.patch, bugfix/x86/bhb/0005-x86-speculation-Include-unprivileged-eBPF-status-in-.patch, bugfix/x86/bhb/0006-x86-speculation-Use-generic-retpoline-by-default-on-.patch, bugfix/x86/bhb/0007-x86-speculation-Update-link-to-AMD-speculation-white.patch, bugfix/x86/bhb/0008-x86-speculation-Warn-about-Spectre-v2-LFENCE-mitigat.patch, bugfix/x86/bhb/0009-x86-speculation-Warn-about-eIBRS-LFENCE-Unprivileged.patch] +4.19-buster-security: released (4.19.232-1) [bugfix/x86/bhb/0004-x86-speculation-Rename-RETPOLINE_AMD-to-RETPOLINE_LF.patch, bugfix/x86/bhb/0005-x86-speculation-Add-eIBRS-Retpoline-options.patch, bugfix/x86/bhb/0006-Documentation-hw-vuln-Update-spectre-doc.patch, bugfix/x86/bhb/0007-x86-speculation-Include-unprivileged-eBPF-status-in-.patch, bugfix/x86/bhb/0008-x86-speculation-Use-generic-retpoline-by-default-on-.patch, bugfix/x86/bhb/0009-x86-speculation-Update-link-to-AMD-speculation-white.patch, bugfix/x86/bhb/0010-x86-speculation-Warn-about-Spectre-v2-LFENCE-mitigat.patch, bugfix/x86/bhb/0011-x86-speculation-Warn-about-eIBRS-LFENCE-Unprivileged.patch] +4.9-stretch-security: released (4.9.303-1) [bugfix/x86/bhb/0004-x86-speculation-Rename-RETPOLINE_AMD-to-RETPOLINE_LF.patch, bugfix/x86/bhb/0005-x86-speculation-Add-eIBRS-Retpoline-options.patch, bugfix/x86/bhb/0006-Documentation-hw-vuln-Update-spectre-doc.patch, bugfix/x86/bhb/0007-x86-speculation-Include-unprivileged-eBPF-status-in-.patch, bugfix/x86/bhb/0008-x86-speculation-Use-generic-retpoline-by-default-on-.patch, bugfix/x86/bhb/0009-x86-speculation-Update-link-to-AMD-speculation-white.patch, bugfix/x86/bhb/0010-x86-speculation-Warn-about-Spectre-v2-LFENCE-mitigat.patch, bugfix/x86/bhb/0011-x86-speculation-Warn-about-eIBRS-LFENCE-Unprivileged.patch] diff --git a/retired/CVE-2022-0002 b/retired/CVE-2022-0002 new file mode 100644 index 000000000..fb8fda601 --- /dev/null +++ b/retired/CVE-2022-0002 @@ -0,0 +1,17 @@ +Description: Sharing of branch predictor selectors in same context on Intel CPUs +References: + https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00598.html + https://github.com/vusec/bhi-spectre-bhb +Notes: + bwh> A.k.a. "Spectre BHB". Details to be published in INTEL-SA-00598. + bwh> Unprivileged eBPF must also be disabled + bwh> (CONFIG_BPF_UNPRIV_DEFAULT_OFF=y). +Bugs: +upstream: released (5.17-rc8) [d45476d9832409371537013ebdd8dc1a7781f97a, 1e19da8522c81bf46b335f84137165741e0d82b7, 5ad3eb1132453b9795ce5fd4572b1c18b292cca9, 44a3918c8245ab10c6c9719dd12e7a8d291980d8, 244d00b5dd4755f8df892c86cab35fb2cfd4f14b, e9b6013a7ce31535b04b02ba99babefe8a8599fa, eafd987d4a82c7bb5aa12f0e3b4f8f3dea93e678, 0de05d056afdb00eca8c7bbb0c79a3438daf700c] +5.10-upstream-stable: released (5.10.105) [f38774bb6e231d647d40ceeb8ddf9082eabde667, a6a119d647ad1f73067d3cffb43104df3f920bcc, 071e8b69d7808d96f388d7c5ed606e75fd3d518d, afc2d635b5e18e2b33116d8e121ee149882e33eb, 2fdf67a1d215574c31b1a716f80fa0fdccd401d7, e335384560d1e106b609e8febd7e0427075a8938, cc9e3e55bde71b2fac1494f503d5ffc560c7fb8d, d04937ae94903087279e4a016b7741cdee59d521] +4.19-upstream-stable: released (4.19.234) [25440a8c77dd2fde6a8e9cfc0c616916febf408e, 3f66bedb96ff4c064a819e68499f79b38297ba26, 7af95ef3ec6248696300fce5c68f6c8c4f50e4a4, 995629e1d8e6751936c6e2b738f70b392b0461de, d3cb3a6927222268a10b2f12dfb8c9444f7cc39e, c034d344e733a3ac574dd09e39e911a50025c607, 8bfdba77595aee5c3e83ed1c9994c35d6d409605, 9711b12a3f4c0fc73dd257c1e467e6e42155a5f1] +4.9-upstream-stable: released (4.9.306) [a771511caa8e31cb5cac4fa39165ebbca3e62795, d0ba50275860b456ff570edf3dcc2db5d2eb9eb8, f9238d33710d74ac3dd668abaa53b2274f8e6fe6, 6481835a9a5b74e349e5c20ae8a9cb10a2e907fa, b6a1aec08a84ccb331ce526c051df074150cf3c5, 0db1c4307aded2c5e618654f9341a249e0c1051f, 8edabefdc13294a9b15671937d165b948cf34d69, 0753760184745250e39018bb25ba77557390fe91] +sid: released (5.16.12-1) [bugfix/x86/bhb/0001-x86-speculation-Rename-RETPOLINE_AMD-to-RETPOLINE_LF.patch, bugfix/x86/bhb/0002-x86-speculation-Add-eIBRS-Retpoline-options.patch, bugfix/x86/bhb/0003-Documentation-hw-vuln-Update-spectre-doc.patch, bugfix/x86/bhb/0004-x86-speculation-Include-unprivileged-eBPF-status-in-.patch, bugfix/x86/bhb/0005-x86-speculation-Use-generic-retpoline-by-default-on-.patch, bugfix/x86/bhb/0006-x86-speculation-Update-link-to-AMD-speculation-white.patch, bugfix/x86/bhb/0007-x86-speculation-Warn-about-Spectre-v2-LFENCE-mitigat.patch, bugfix/x86/bhb/0008-x86-speculation-Warn-about-eIBRS-LFENCE-Unprivileged.patch] +5.10-bullseye-security: released (5.10.103-1) [bugfix/x86/bhb/0002-x86-speculation-Rename-RETPOLINE_AMD-to-RETPOLINE_LF.patch, bugfix/x86/bhb/0003-x86-speculation-Add-eIBRS-Retpoline-options.patch, bugfix/x86/bhb/0004-Documentation-hw-vuln-Update-spectre-doc.patch, bugfix/x86/bhb/0005-x86-speculation-Include-unprivileged-eBPF-status-in-.patch, bugfix/x86/bhb/0006-x86-speculation-Use-generic-retpoline-by-default-on-.patch, bugfix/x86/bhb/0007-x86-speculation-Update-link-to-AMD-speculation-white.patch, bugfix/x86/bhb/0008-x86-speculation-Warn-about-Spectre-v2-LFENCE-mitigat.patch, bugfix/x86/bhb/0009-x86-speculation-Warn-about-eIBRS-LFENCE-Unprivileged.patch] +4.19-buster-security: released (4.19.232-1) [bugfix/x86/bhb/0004-x86-speculation-Rename-RETPOLINE_AMD-to-RETPOLINE_LF.patch, bugfix/x86/bhb/0005-x86-speculation-Add-eIBRS-Retpoline-options.patch, bugfix/x86/bhb/0006-Documentation-hw-vuln-Update-spectre-doc.patch, bugfix/x86/bhb/0007-x86-speculation-Include-unprivileged-eBPF-status-in-.patch, bugfix/x86/bhb/0008-x86-speculation-Use-generic-retpoline-by-default-on-.patch, bugfix/x86/bhb/0009-x86-speculation-Update-link-to-AMD-speculation-white.patch, bugfix/x86/bhb/0010-x86-speculation-Warn-about-Spectre-v2-LFENCE-mitigat.patch, bugfix/x86/bhb/0011-x86-speculation-Warn-about-eIBRS-LFENCE-Unprivileged.patch] +4.9-stretch-security: released (4.9.303-1) [bugfix/x86/bhb/0004-x86-speculation-Rename-RETPOLINE_AMD-to-RETPOLINE_LF.patch, bugfix/x86/bhb/0005-x86-speculation-Add-eIBRS-Retpoline-options.patch, bugfix/x86/bhb/0006-Documentation-hw-vuln-Update-spectre-doc.patch, bugfix/x86/bhb/0007-x86-speculation-Include-unprivileged-eBPF-status-in-.patch, bugfix/x86/bhb/0008-x86-speculation-Use-generic-retpoline-by-default-on-.patch, bugfix/x86/bhb/0009-x86-speculation-Update-link-to-AMD-speculation-white.patch, bugfix/x86/bhb/0010-x86-speculation-Warn-about-Spectre-v2-LFENCE-mitigat.patch, bugfix/x86/bhb/0011-x86-speculation-Warn-about-eIBRS-LFENCE-Unprivileged.patch] diff --git a/retired/CVE-2022-0322 b/retired/CVE-2022-0322 new file mode 100644 index 000000000..77a029418 --- /dev/null +++ b/retired/CVE-2022-0322 @@ -0,0 +1,15 @@ +Description: sctp: account stream padding length for reconf chunk +References: + https://bugzilla.redhat.com/show_bug.cgi?id=2042822 +Notes: + carnil> Commit fixes cc16f00f6529 ("sctp: add support for generating + carnil> stream reconf ssn reset request chunk") in 4.11-rc1. +Bugs: +upstream: released (5.15-rc6) [a2d859e3fc97e79d907761550dbc03ff1b36479c] +5.10-upstream-stable: released (5.10.75) [d84a69ac410f6228873d05d35120f6bdddab7fc3] +4.19-upstream-stable: released (4.19.213) [c57fdeff69b152185fafabd37e6bfecfce51efda] +4.9-upstream-stable: N/A "Vulnerable code not present" +sid: released (5.14.16-1) +5.10-bullseye-security: released (5.10.84-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: N/A "Vulnerable code not present" diff --git a/retired/CVE-2022-0330 b/retired/CVE-2022-0330 new file mode 100644 index 000000000..806ddbbe8 --- /dev/null +++ b/retired/CVE-2022-0330 @@ -0,0 +1,14 @@ +Description: drm/i915: Flush TLBs before releasing backing store +References: + https://www.openwall.com/lists/oss-security/2022/01/25/12 +Notes: + carnil> Fixed in 5.16.4 for 5.16.y and 5.15.18 for 5.15.y. +Bugs: +upstream: released (5.17-rc2) [7938d61591d33394a21bdd7797a245b65428f44c] +5.10-upstream-stable: released (5.10.95) [6a6acf927895c38bdd9f3cd76b8dbfc25ac03e88] +4.19-upstream-stable: released (4.19.227) [b188780649081782e341e52223db47c49f172712] +4.9-upstream-stable: released (4.9.299) [84f4ab5b47d955ad2bb30115d7841d3e8f0994f4] +sid: released (5.15.15-2) [bugfix/x86/drm-i915-Flush-TLBs-before-releasing-backing-store.patch] +5.10-bullseye-security: released (5.10.92-2) [bugfix/x86/drm-i915-Flush-TLBs-before-releasing-backing-store.patch] +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2022-0435 b/retired/CVE-2022-0435 new file mode 100644 index 000000000..5495d3cfd --- /dev/null +++ b/retired/CVE-2022-0435 @@ -0,0 +1,16 @@ +Description: tipc: improve size validations for received domain records +References: + https://www.openwall.com/lists/oss-security/2022/02/10/1 +Notes: + carnil> Introduced with 35c55c9877f8 ("tipc: add neighbor monitoring + carnil> framework") in 4.8-rc1. + carnil> Fixed as well in 5.16.9 for 5.16.y. +Bugs: +upstream: released (5.17-rc4) [9aa422ad326634b76309e8ff342c246800621216] +5.10-upstream-stable: released (5.10.100) [3c7e5943553594f68bbc070683db6bb6f6e9e78e] +4.19-upstream-stable: released (4.19.229) [f1af11edd08dd8376f7a84487cbb0ea8203e3a1d] +4.9-upstream-stable: released (4.9.301) [175db196e45d6f0e6047eccd09c8ba55465eb131] +sid: released (5.16.10-1) +5.10-bullseye-security: released (5.10.92-2) [bugfix/all/tipc-improve-size-validations-for-received-domain-re.patch] +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2022-0487 b/retired/CVE-2022-0487 new file mode 100644 index 000000000..5194a44d6 --- /dev/null +++ b/retired/CVE-2022-0487 @@ -0,0 +1,16 @@ +Description: Use after free in moxart_remove +References: + https://lore.kernel.org/all/20220114075934.302464-1-gregkh@linuxfoundation.org/ + https://bugzilla.suse.com/show_bug.cgi?id=1194516 + https://lore.kernel.org/all/20220127071638.4057899-1-gregkh@linuxfoundation.org/ +Notes: + carnil> CONFIG_MMC_MOXART is not set in Debian. +Bugs: +upstream: released (5.17-rc4) [bd2db32e7c3e35bd4d9b8bbff689434a50893546] +5.10-upstream-stable: released (5.10.100) [be93028d306dac9f5b59ebebd9ec7abcfc69c156] +4.19-upstream-stable: released (4.19.229) [9c25d5ff1856b91bd4365e813f566cb59aaa9552] +4.9-upstream-stable: released (4.9.301) [f5dc193167591e88797262ec78515a0cbe79ff5f] +sid: released (5.16.10-1) +5.10-bullseye-security: released (5.10.103-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2022-0492 b/retired/CVE-2022-0492 new file mode 100644 index 000000000..bf08c11e4 --- /dev/null +++ b/retired/CVE-2022-0492 @@ -0,0 +1,17 @@ +Description: cgroup-v1: Require capabilities to set release_agent +References: + https://www.openwall.com/lists/oss-security/2022/02/04/1 + https://twitter.com/chompie1337/status/1489366167600906240 +Notes: + carnil> Fixed as well in 5.15.20 for 5.15.y and 5.16.6 for 5.16.y. + carnil> Original fix will need a followup fix 467a726b754f ("cgroup-v1: + carnil> Correct privileges check in release_agent writes") +Bugs: +upstream: released (5.17-rc3) [24f6008564183aa120d07c03d9289519c2fe02af] +5.10-upstream-stable: released (5.10.97) [1fc3444cda9a78c65b769e3fa93455e09ff7a0d3] +4.19-upstream-stable: released (4.19.229) [939f8b491887c27585933ea7dc5ad4123de58ff3] +4.9-upstream-stable: released (4.9.301) [7e33a0ad792f04bad920c7197bda8cc2ea08d304] +sid: released (5.16.7-1) +5.10-bullseye-security: released (5.10.103-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2022-0516 b/retired/CVE-2022-0516 new file mode 100644 index 000000000..516850982 --- /dev/null +++ b/retired/CVE-2022-0516 @@ -0,0 +1,17 @@ +Description: KVM: s390: Return error on SIDA memop on normal guest +References: + https://bugzilla.redhat.com/show_bug.cgi?id=2050237 + https://www.openwall.com/lists/oss-security/2022/02/11/2 +Notes: + carnil> Introduced by 19e122776886 (KVM: S390: protvirt: Introduce + carnil> instruction data area bounce buffer) in 5.7-rc1 + carnil> Fixed as well in 5.16.9 for 5.16.y. +Bugs: +upstream: released (5.17-rc4) [2c212e1baedcd782b2535a3f86bc491977677c0e] +5.10-upstream-stable: released (5.10.100) [b62267b8b06e9b8bb429ae8f962ee431e6535d60] +4.19-upstream-stable: N/A "Vulnerable code not present" +4.9-upstream-stable: N/A "Vulnerable code not present" +sid: released (5.16.10-1) +5.10-bullseye-security: released (5.10.92-2) [bugfix/s390x/KVM-s390-Return-error-on-SIDA-memop-on-normal-guest.patch] +4.19-buster-security: N/A "Vulnerable code not present" +4.9-stretch-security: N/A "Vulnerable code not present" diff --git a/retired/CVE-2022-0617 b/retired/CVE-2022-0617 new file mode 100644 index 000000000..fb1e33161 --- /dev/null +++ b/retired/CVE-2022-0617 @@ -0,0 +1,13 @@ +Description: Null pointer dereference can be triggered when write to an ICB inode +References: + https://bugzilla.redhat.com/show_bug.cgi?id=2053632 +Notes: +Bugs: +upstream: released (5.17-rc2) [7fc3b7c2981bbd1047916ade327beccb90994eee, ea8569194b43f0f01f0a84c689388542c7254a1f] +5.10-upstream-stable: released (5.10.96) [de7cc8bcca90a9d77c915ee1d922dbd670c47d84, 0a3cfd258923aee63e7f144f134d42e205421848] +4.19-upstream-stable: released (4.19.228) [a23a59717f9f01a49394488f515550f9382fbada, 3740d41e7363374182a42f1621e06d5029c837d5] +4.9-upstream-stable: released (4.9.300) [f24454e42b5a58267928b0de53b0dd9b43e4dd46, de10d14ce3aacba73c835cb979a85ef9683c193f] +sid: released (5.16.7-1) +5.10-bullseye-security: released (5.10.103-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2022-0644 b/retired/CVE-2022-0644 new file mode 100644 index 000000000..90a15c088 --- /dev/null +++ b/retired/CVE-2022-0644 @@ -0,0 +1,15 @@ +Description: vfs: check fd has read access in kernel_read_file_from_fd() +References: + https://bugzilla.redhat.com/show_bug.cgi?id=2026491 + https://lore.kernel.org/all/20211007220110.600005-1-willy@infradead.org/ + https://lkml.org/lkml/2021/10/6/254 +Notes: +Bugs: +upstream: released (5.15-rc7) [032146cda85566abcd1c4884d9d23e4e30a07e9a] +5.10-upstream-stable: released (5.10.76) [b721500c979b71a9f02eb84ca384082722c62d4e] +4.19-upstream-stable: released (4.19.214) [c1ba20965b59c2eeb54a845ca5cab4fc7bcf9735] +4.9-upstream-stable: released (4.9.288) [52ed5a196b1146e0368e95edc23c38fa1b50825a] +sid: released (5.14.16-1) +5.10-bullseye-security: released (5.10.84-1) +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.290-1) diff --git a/retired/CVE-2022-0847 b/retired/CVE-2022-0847 new file mode 100644 index 000000000..725813f9a --- /dev/null +++ b/retired/CVE-2022-0847 @@ -0,0 +1,17 @@ +Description: lib/iov_iter: initialize "flags" in new pipe_buffer +References: + https://www.openwall.com/lists/oss-security/2022/03/07/1 + https://dirtypipe.cm4all.com/ +Notes: + carnil> Only exploitable starting in 5.8-rc1 due to f6dd975583bd + carnil> ("pipe: merge anon_pipe_buf*_ops"). The commit which landed in + carnil> 5.17-rc6 was still backported to all stable series. +Bugs: +upstream: released (5.17-rc6) [9d2231c5d74e13b2a0546fee6737ee4446017903] +5.10-upstream-stable: released (5.10.102) [b19ec7afa9297d862ed86443e0164643b97250ab] +4.19-upstream-stable: released (4.19.231) [d46c42d8d2742742eddf9290e72df4b563f2e301] +4.9-upstream-stable: released (4.9.303) [c460ef6e0596eb5ca844c45338c20f6023f1e43c] +sid: released (5.16.11-1) +5.10-bullseye-security: released (5.10.92-2) [bugfix/all/lib-iov_iter-initialize-flags-in-new-pipe_buffer.patch] +4.19-buster-security: N/A "Vulnerable code introduced later" +4.9-stretch-security: N/A "Vulnerable code introduced later" diff --git a/retired/CVE-2022-0998 b/retired/CVE-2022-0998 new file mode 100644 index 000000000..7ef46ebbc --- /dev/null +++ b/retired/CVE-2022-0998 @@ -0,0 +1,19 @@ +Description: vdpa: clean up get_config_size ret value handling +References: + https://lore.kernel.org/netdev/20220123001216.2460383-13-sashal@kernel.org/ + https://bugzilla.redhat.com/show_bug.cgi?id=2057506 +Notes: + carnil> CONFIG_VHOST_VDPA not set in Debian. + bwh> The vhost vDPA backend was introduced in 5.7. + bwh> The change in 5.17 is described as only clean up, while the actual + bwh> fix was commit 3ed21c1451a1, already included in all vulnerable + bwh> branches. +Bugs: +upstream: released (5.16-rc6) [3ed21c1451a14d139e1ceb18f2fa70865ce3195a] +5.10-upstream-stable: released (5.10.88) [51f6302f81d243772047a74ffeceddfb11c964d5] +4.19-upstream-stable: N/A "Vulnerable code not present" +4.9-upstream-stable: N/A "Vulnerable code not present" +sid: released (5.15.15-1) +5.10-bullseye-security: released (5.10.92-1) +4.19-buster-security: N/A "Vulnerable code not present" +4.9-stretch-security: N/A "Vulnerable code not present" diff --git a/retired/CVE-2022-1043 b/retired/CVE-2022-1043 new file mode 100644 index 000000000..6adac9308 --- /dev/null +++ b/retired/CVE-2022-1043 @@ -0,0 +1,16 @@ +Description: io_uring: fix xa_alloc_cycle() error return value check +References: + https://bugzilla.redhat.com/show_bug.cgi?id=1997328 + https://bugzilla.suse.com/show_bug.cgi?id=1197393 +Notes: + carnil> Introduced by 61cf93700fe6 ("io_uring: Convert personality_idr + carnil> to XArray") in 5.12-rc3 (got backported to 5.10.51). +Bugs: +upstream: released (5.14-rc7) [a30f895ad3239f45012e860d4f94c1a388b36d14] +5.10-upstream-stable: released (5.10.61) [695ab28a7fa107d0350ab19eba8ec89fac45a95d] +4.19-upstream-stable: N/A "Vulnerable code not present" +4.9-upstream-stable: N/A "Vulnerable code not present" +sid: released (5.14.6-1) +5.10-bullseye-security: released (5.10.70-1) +4.19-buster-security: N/A "Vulnerable code not present" +4.9-stretch-security: N/A "Vulnerable code not present" diff --git a/retired/CVE-2022-22942 b/retired/CVE-2022-22942 new file mode 100644 index 000000000..4012da6b6 --- /dev/null +++ b/retired/CVE-2022-22942 @@ -0,0 +1,17 @@ +Description: drm/vmwgfx: Fix stale file descriptors on failed usercopy +References: + https://www.openwall.com/lists/oss-security/2022/01/27/4 + https://www.openwall.com/lists/oss-security/2022/02/03/1 +Notes: + carnil> Commit fixes c906965dee22 ("drm/vmwgfx: Add export fence to + carnil> file descriptor support") in 4.14-rc1. + carnil> Fixed in 5.16.4 for 5.16.y and 5.15.18 for 5.15.y. +Bugs: +upstream: released (5.17-rc2) [a0f90c8815706981c483a652a6aefca51a5e191c] +5.10-upstream-stable: released (5.10.95) [ae2b20f27732fe92055d9e7b350abc5cdf3e2414] +4.19-upstream-stable: released (4.19.227) [0008a0c78fc33a84e2212a7c04e6b21a36ca6f4d] +4.9-upstream-stable: N/A "Vulnerable code not present" +sid: released (5.15.15-2) [bugfix/all/drm-vmwgfx-Fix-stale-file-descriptors-on-failed-user.patch] +5.10-bullseye-security: released (5.10.92-2) [bugfix/x86/drm-vmwgfx-Fix-stale-file-descriptors-on-failed-user.patch] +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: N/A "Vulnerable code not present" diff --git a/retired/CVE-2022-24448 b/retired/CVE-2022-24448 new file mode 100644 index 000000000..3081a0fde --- /dev/null +++ b/retired/CVE-2022-24448 @@ -0,0 +1,13 @@ +Description NFSv4: Handle case where the lookup of a directory fails: +References: + NFSv4: Handle case where the lookup of a directory fails +Notes: +Bugs: +upstream: released (5.17-rc2) [ac795161c93699d600db16c1a8cc23a65a1eceaf] +5.10-upstream-stable: released (5.10.96) [ce8c552b88ca25d775ecd0a0fbef4e0e03de9ed2] +4.19-upstream-stable: released (4.19.228) [b00b4c6faad0f21e443fb1584f7a8ea222beb0de] +4.9-upstream-stable: released (4.9.300) [8788981e120694a82a3672e062fe4ea99446634a] +sid: released (5.16.7-1) +5.10-bullseye-security: released (5.10.92-2) [bugfix/all/NFSv4-Handle-case-where-the-lookup-of-a-directory-fa.patch] +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2022-24959 b/retired/CVE-2022-24959 new file mode 100644 index 000000000..323dcedb3 --- /dev/null +++ b/retired/CVE-2022-24959 @@ -0,0 +1,15 @@ +Description: yam: fix a memory leak in yam_siocdevprivate() +References: +Notes: + bwh> Introduced in 4.19 by commit 0781168e23a2 "yam: fix a missing- + bwh> check bug". (That didn't actually fix any bug because the + bwh> driver never looks at the second copy of the cmd field.) +Bugs: +upstream: released (5.17-rc2) [29eb31542787e1019208a2e1047bb7c76c069536] +5.10-upstream-stable: released (5.10.96) [729e54636b3ebefb77796702a5b1f1ed5586895e] +4.19-upstream-stable: released (4.19.228) [4bd197ce18329e3725fe3af5bd27daa4256d3ac7] +4.9-upstream-stable: N/A "Vulnerability introduced later" +sid: released (5.16.7-1) +5.10-bullseye-security: released (5.10.92-2) [bugfix/all/yam-fix-a-memory-leak-in-yam_siocdevprivate.patch] +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: N/A "Vulnerability introduced later" diff --git a/retired/CVE-2022-25258 b/retired/CVE-2022-25258 new file mode 100644 index 000000000..c6034e00d --- /dev/null +++ b/retired/CVE-2022-25258 @@ -0,0 +1,13 @@ +Description: USB: gadget: validate interface OS descriptor requests +References: + https://github.com/szymonh/d-os-descriptor +Notes: +Bugs: +upstream: released (5.17-rc4) [75e5b4849b81e19e9efe1654b30d7f3151c33c2c] +5.10-upstream-stable: released (5.10.101) [22ec1004728548598f4f5b4a079a7873409eacfd] +4.19-upstream-stable: released (4.19.230) [e5eb8d19aee115d8fb354d1eff1b8df700467164] +4.9-upstream-stable: released (4.9.302) [f3bcd744b0bc8dcc6cdb3ac5be20f54aecfb78a4] +sid: released (5.16.10-1) +5.10-bullseye-security: released (5.10.92-2) [bugfix/all/USB-gadget-validate-interface-OS-descriptor-requests.patch] +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2022-25375 b/retired/CVE-2022-25375 new file mode 100644 index 000000000..e9b29ca0e --- /dev/null +++ b/retired/CVE-2022-25375 @@ -0,0 +1,14 @@ +Description: usb: gadget: rndis: check size of RNDIS_MSG_SET command +References: + https://github.com/szymonh/rndis-co + https://www.openwall.com/lists/oss-security/2022/02/21/1 +Notes: +Bugs: +upstream: released (5.17-rc4) [38ea1eac7d88072bbffb630e2b3db83ca649b826] +5.10-upstream-stable: released (5.10.101) [fb4ff0f96de37c44236598e8b53fe43b1df36bf3] +4.19-upstream-stable: released (4.19.230) [db9aaa3026298d652e98f777bc0f5756e2455dda] +4.9-upstream-stable: released (4.9.302) [ff0a90739925734c91c7e39befe3f4378e0c1369] +sid: released (5.16.10-1) +5.10-bullseye-security: released (5.10.92-2) [bugfix/all/usb-gadget-rndis-check-size-of-RNDIS_MSG_SET-command.patch] +4.19-buster-security: released (4.19.232-1) +4.9-stretch-security: released (4.9.303-1) diff --git a/retired/CVE-2022-25636 b/retired/CVE-2022-25636 new file mode 100644 index 000000000..775e8cf27 --- /dev/null +++ b/retired/CVE-2022-25636 @@ -0,0 +1,18 @@ +Description: netfilter: nf_tables_offload: incorrect flow offload action array size +References: + https://www.openwall.com/lists/oss-security/2022/02/21/2 + https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git/commit/?id=b1a5983f56e371046dcf164f90bfaf704d2b89f6 + https://github.com/Bonfee/CVE-2022-25636 + https://nickgregory.me/linux/security/2022/03/12/cve-2022-25636/ +Notes: + carnil> Introduced in be2861dc36d7 ("netfilter: nft_{fwd,dup}_netdev: + carnil> add offload support") in 5.4-rc1. +Bugs: +upstream: released (5.17-rc6) [b1a5983f56e371046dcf164f90bfaf704d2b89f6] +5.10-upstream-stable: released (5.10.103) [68f19845f580a1d3ac1ef40e95b0250804e046bb] +4.19-upstream-stable: N/A "Vulnerable code not present" +4.9-upstream-stable: N/A "Vulnerable code not present" +sid: released (5.16.11-1) [bugfix/all/netfilter-nf_tables_offload-incorrect-flow-offload-a.patch] +5.10-bullseye-security: released (5.10.103-1) +4.19-buster-security: N/A "Vulnerable code not present" +4.9-stretch-security: N/A "Vulnerable code not present" diff --git a/retired/CVE-2022-26878 b/retired/CVE-2022-26878 new file mode 100644 index 000000000..373e0eaa7 --- /dev/null +++ b/retired/CVE-2022-26878 @@ -0,0 +1,16 @@ +Description: Bluetooth: virtio_bt: fix memory leak in virtbt_rx_handle() +References: + https://lore.kernel.org/linux-bluetooth/1A203F5E-FB5E-430C-BEA3-86B191D69D58@holtmann.org/ +Notes: + carnil> Commit fixes afd2daa26c7a ("Bluetooth: Add support for virtio + carnil> transport driver") in 5.13-rc1. Additionally BT_VIRTIO is not + carnil> set in Debian. +Bugs: +upstream: released (5.17-rc1) [ad7cb5f6fa5f7ea37208c98a9457dd98025a89ca] +5.10-upstream-stable: N/A "Vulnerable code not present" +4.19-upstream-stable: N/A "Vulnerable code not present" +4.9-upstream-stable: N/A "Vulnerable code not present" +sid: released (5.16.7-1) +5.10-bullseye-security: N/A "Vulnerable code not present" +4.19-buster-security: N/A "Vulnerable code not present" +4.9-stretch-security: N/A "Vulnerable code not present" |