/[advisories]/32537.adv
ViewVC logotype

Contents of /32537.adv

Parent Directory Parent Directory | Revision Log Revision Log


Revision 15280 - (show annotations) (download)
Tue Nov 21 14:25:13 2023 UTC (9 months, 2 weeks ago) by marja
File size: 5355 byte(s)
Update security advisory M9 kernel/kmod-virtualbox/kmod-xtables-addons mga#32537
1 type: security
2 subject: Updated kernel packages fix security vulnerabilities and other bugs
3 CVE:
4 - CVE-2023-5178
5 - CVE-2023-5090
6 - CVE-2023-34324
7 - CVE-2023-5345
8 - CVE-2023-39189
9 - CVE-2023-5633
10 - CVE-2023-5717
11 - CVE-2023-46813
12 - CVE-2023-6176
13 src:
14 9:
15 core:
16 - kernel-6.5.11-5.mga9
17 - kmod-virtualbox-7.0.10-37.mga9
18 - kmod-xtables-addons-3.24-50.mga9
19 description: |
20 This kernel update is based on upstream 6.5.11 and fixes or adds
21 mitigations for at least the following security issues:
22
23 A use-after-free vulnerability was found in drivers/nvme/target/tcp.c`
24 in `nvmet_tcp_free_crypto` due to a logical bug in the NVMe-oF/TCP
25 subsystem in the Linux kernel. This issue may allow a malicious user to
26 cause a use-after-free and double-free problem, which may permit remote
27 code execution or lead to local privilege escalation in case that the
28 attacker already has local privileges. (CVE-2023-5178)
29
30 x86: KVM: SVM: always update the x2avic msr interception:
31 The following problem exists since x2avic was enabled in the KVM:
32 svm_set_x2apic_msr_interception is called to enable the interception of
33 the x2apic msrs.
34 In particular it is called at the moment the guest resets its apic.
35 Assuming that the guest's apic is in x2apic mode, the reset will bring
36 it back to the xapic mode.
37 The svm_set_x2apic_msr_interception however has an erroneous check for
38 '!apic_x2apic_mode()' which prevents it from doing anything in this case.
39 As a result of this, all x2apic msrs are left unintercepted, and that
40 exposes the bare metal x2apic (if enabled) to the guest.
41 Removing the erroneous '!apic_x2apic_mode()' check fixes that.
42 (CVE-2023-5090)
43
44 In unprivileged Xen guests event handling can cause a deadlock with
45 Xen console handling. The evtchn_rwlock and the hvc_lock are taken in
46 opposite sequence in __hvc_poll() and in Xen console IRQ handling.
47 This is fixed by xen/events: replace evtchn_rwlock with RCU
48 (CVE-2023-34324)
49
50 A use-after-free vulnerability in the Linux kernel's fs/smb/client
51 component can be exploited to achieve local privilege escalation. In
52 case of an error in smb3_fs_context_parse_param, ctx->password was freed
53 but the field was not set to NULL which could lead to double free. We
54 recommend upgrading past commit e6e43b8aa7cd3c3af686caf0c2e11819a886d705
55 (CVE-2023-5345)
56
57 A flaw was found in the Netfilter subsystem in the Linux kernel. The
58 nfnl_osf_add_callback function did not validate the user mode controlled
59 opt_num field. This flaw allows a local privileged (CAP_NET_ADMIN)
60 attacker to trigger an out-of-bounds read, leading to a crash or
61 information disclosure. (CVE-2023-39189)
62
63 The reference count changes made as part of the CVE-2023-33951 and
64 CVE-2023-33952 fixes exposed a use-after-free flaw in the way memory
65 objects were handled when they were being used to store a surface. When
66 running inside a VMware guest with 3D acceleration enabled, a local,
67 unprivileged user could potentially use this flaw to escalate their
68 privileges. (CVE-2023-5633)
69
70 A heap out-of-bounds write vulnerability in the Linux kernel's Linux
71 Kernel Performance Events (perf) component can be exploited to achieve
72 local privilege escalation. If perf_read_group() is called while an
73 event's sibling_list is smaller than its child's sibling_list, it can
74 increment or write to memory locations outside of the allocated buffer.
75 We recommend upgrading past commit
76 32671e3799ca2e4590773fd0e63aaa4229e50c06. (CVE-2023-5717)
77
78 An issue was discovered in the Linux kernel before 6.5.9, exploitable by
79 local users with userspace access to MMIO registers. Incorrect access
80 checking in the #VC handler and instruction emulation of the SEV-ES
81 emulation of MMIO accesses could lead to arbitrary write access to
82 kernel memory (and thus privilege escalation). This depends on a race
83 condition through which userspace can replace an instruction before the
84 #VC handler reads it. (CVE-2023-46813)
85
86 A null pointer dereference flaw was found in the Linux kernel API for
87 the cryptographic algorithm scatterwalk functionality. This issue occurs
88 when a user constructs a malicious packet with specific socket
89 configuration, which could allow a local user to crash the system or
90 escalate their privileges on the system. (CVE-2023-6176)
91
92 And fixes at least one normal bug about sleep lockups:
93
94 Drop Patch1030 and 1050 to fix sleep lockups (bug #32082)
95
96 references:
97 - https://bugs.mageia.org/show_bug.cgi?id=32537
98 - https://bugs.mageia.org/show_bug.cgi?id=32082
99 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5
100 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.1
101 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.2
102 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.3
103 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.4
104 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.5
105 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.6
106 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.7
107 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.8
108 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.9
109 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.10
110 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.11
111

  ViewVC Help
Powered by ViewVC 1.1.30