/[advisories]/32537.adv
ViewVC logotype

Contents of /32537.adv

Parent Directory Parent Directory | Revision Log Revision Log


Revision 15284 - (show annotations) (download)
Thu Nov 23 20:09:38 2023 UTC (9 months, 2 weeks ago) by marja
File size: 7665 byte(s)
Update security advisory M9 kernel/kmod-virtualbox/kmod-xtables-addons mga#32537
1 type: security
2 subject: Updated kernel packages fix security vulnerabilities and other bugs
3 CVE:
4 - CVE-2020-26555
5 - CVE-2023-3772
6 - CVE-2023-3773
7 - CVE-2023-4155
8 - CVE-2023-5090
9 - CVE-2023-5178
10 - CVE-2023-5345
11 - CVE-2023-5633
12 - CVE-2023-5717
13 - CVE-2023-6176
14 - CVE-2023-25775
15 - CVE-2023-34319
16 - CVE-2023-34324
17 - CVE-2023-39189
18 - CVE-2023-46813
19 src:
20 9:
21 core:
22 - kernel-6.5.11-5.mga9
23 - kmod-virtualbox-7.0.10-37.mga9
24 - kmod-xtables-addons-3.24-50.mga9
25 description: |
26 This kernel update is based on upstream 6.5.11 and fixes or adds
27 mitigations for at least the following security issues:
28
29 A use-after-free vulnerability was found in drivers/nvme/target/tcp.c`
30 in `nvmet_tcp_free_crypto` due to a logical bug in the NVMe-oF/TCP
31 subsystem in the Linux kernel. This issue may allow a malicious user to
32 cause a use-after-free and double-free problem, which may permit remote
33 code execution or lead to local privilege escalation in case that the
34 attacker already has local privileges. (CVE-2023-5178)
35
36 x86: KVM: SVM: always update the x2avic msr interception:
37 The following problem exists since x2avic was enabled in the KVM:
38 svm_set_x2apic_msr_interception is called to enable the interception of
39 the x2apic msrs.
40 In particular it is called at the moment the guest resets its apic.
41 Assuming that the guest's apic is in x2apic mode, the reset will bring
42 it back to the xapic mode.
43 The svm_set_x2apic_msr_interception however has an erroneous check for
44 '!apic_x2apic_mode()' which prevents it from doing anything in this case.
45 As a result of this, all x2apic msrs are left unintercepted, and that
46 exposes the bare metal x2apic (if enabled) to the guest.
47 Removing the erroneous '!apic_x2apic_mode()' check fixes that.
48 (CVE-2023-5090)
49
50 In unprivileged Xen guests event handling can cause a deadlock with
51 Xen console handling. The evtchn_rwlock and the hvc_lock are taken in
52 opposite sequence in __hvc_poll() and in Xen console IRQ handling.
53 This is fixed by xen/events: replace evtchn_rwlock with RCU
54 (CVE-2023-34324)
55
56 A use-after-free vulnerability in the Linux kernel's fs/smb/client
57 component can be exploited to achieve local privilege escalation. In
58 case of an error in smb3_fs_context_parse_param, ctx->password was freed
59 but the field was not set to NULL which could lead to double free. We
60 recommend upgrading past commit e6e43b8aa7cd3c3af686caf0c2e11819a886d705
61 (CVE-2023-5345)
62
63 A flaw was found in the Netfilter subsystem in the Linux kernel. The
64 nfnl_osf_add_callback function did not validate the user mode controlled
65 opt_num field. This flaw allows a local privileged (CAP_NET_ADMIN)
66 attacker to trigger an out-of-bounds read, leading to a crash or
67 information disclosure. (CVE-2023-39189)
68
69 The reference count changes made as part of the CVE-2023-33951 and
70 CVE-2023-33952 fixes exposed a use-after-free flaw in the way memory
71 objects were handled when they were being used to store a surface. When
72 running inside a VMware guest with 3D acceleration enabled, a local,
73 unprivileged user could potentially use this flaw to escalate their
74 privileges. (CVE-2023-5633)
75
76 A heap out-of-bounds write vulnerability in the Linux kernel's Linux
77 Kernel Performance Events (perf) component can be exploited to achieve
78 local privilege escalation. If perf_read_group() is called while an
79 event's sibling_list is smaller than its child's sibling_list, it can
80 increment or write to memory locations outside of the allocated buffer.
81 We recommend upgrading past commit
82 32671e3799ca2e4590773fd0e63aaa4229e50c06. (CVE-2023-5717)
83
84 An issue was discovered in the Linux kernel before 6.5.9, exploitable by
85 local users with userspace access to MMIO registers. Incorrect access
86 checking in the #VC handler and instruction emulation of the SEV-ES
87 emulation of MMIO accesses could lead to arbitrary write access to
88 kernel memory (and thus privilege escalation). This depends on a race
89 condition through which userspace can replace an instruction before the
90 #VC handler reads it. (CVE-2023-46813)
91
92 A null pointer dereference flaw was found in the Linux kernel API for
93 the cryptographic algorithm scatterwalk functionality. This issue occurs
94 when a user constructs a malicious packet with specific socket
95 configuration, which could allow a local user to crash the system or
96 escalate their privileges on the system. (CVE-2023-6176)
97
98 Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
99 1.0B through 5.2 may permit an unauthenticated nearby device to spoof
100 the BD_ADDR of the peer device to complete pairing without knowledge of
101 the PIN. (CVE-2020-26555)
102
103 A flaw was found in the Linux kernel's IP framework for transforming
104 packets (XFRM subsystem). This issue may allow a malicious user with
105 CAP_NET_ADMIN privileges to directly dereference a NULL pointer in
106 xfrm_update_ae_params(), leading to a possible kernel crash and denial
107 of service. (CVE-2023-3772)
108
109 A flaw was found in the Linux kernel's IP framework for transforming
110 packets (XFRM subsystem). This issue may allow a malicious user with
111 CAP_NET_ADMIN privileges to cause a 4 byte out-of-bounds read of
112 XFRMA_MTIMER_THRESH when parsing netlink attributes, leading to
113 potential leakage of sensitive heap data to userspace. (CVE-2023-3773)
114
115 A flaw was found in KVM AMD Secure Encrypted Virtualization (SEV) in the
116 Linux kernel. A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs
117 can trigger a double fetch race condition vulnerability and invoke the
118 `VMGEXIT` handler recursively. If an attacker manages to call the handler
119 multiple times, they can trigger a stack overflow and cause a denial of
120 service or potentially guest-to-host escape in kernel configurations
121 without stack guard pages (`CONFIG_VMAP_STACK`). (CVE-2023-4155)
122
123 Improper access control in the Intel(R) Ethernet Controller RDMA driver
124 for linux before version 1.9.30 may allow an unauthenticated user to
125 potentially enable escalation of privilege via network access.
126 (CVE-2023-25775)
127
128 The fix for XSA-423 added logic to Linux'es netback driver to deal with
129 a frontend splitting a packet in a way such that not all of the headers
130 would come in one piece. Unfortunately the logic introduced there didn't
131 account for the extreme case of the entire packet being split into as
132 many pieces as permitted by the protocol, yet still being smaller than
133 the area that's specially dealt with to keep all (possible) headers
134 together. Such an unusual packet would therefore trigger a buffer
135 overrun in the driver. (CVE-2023-34319)
136
137 And fixes at least one normal bug about sleep lockups:
138
139 Drop Patch1030 and 1050 to fix sleep lockups (bug #32082)
140
141 references:
142 - https://bugs.mageia.org/show_bug.cgi?id=32537
143 - https://bugs.mageia.org/show_bug.cgi?id=32082
144 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5
145 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.1
146 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.2
147 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.3
148 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.4
149 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.5
150 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.6
151 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.7
152 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.8
153 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.9
154 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.10
155 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.11
156

  ViewVC Help
Powered by ViewVC 1.1.30