An update for kernel is now available for openEuler-22.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1056 Final 1.0 1.0 2023-02-03 Initial 2023-02-03 2023-02-03 openEuler SA Tool V1.0 2023-02-03 kernel security update An update for kernel is now available for openEuler-22.03-LTS. The Linux Kernel, the operating system core itself. Security Fix(es): In binder_vma_close of binder.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-254837884References: Upstream kernel(CVE-2023-20928) A heap overflow bug in ksmbd_decode_ntlmssp_auth_blob in which nt_len can be less than CIFS_ENCPWD_SIZE. This results in a negative blen argument for ksmbd_auth_ntlmv2, where it calls memcpy using blen on memory allocated by kmalloc(blen + CIFS_CRYPTO_KEY_SIZE). Note that CIFS_ENCPWD_SIZE is 16 and CIFS_CRYPTO_KEY_SIZE is 8. We believe this bug can only result in a remote DOS and not privilege escalation nor RCE, as the heap overflow occurs when blen is in range (-8, -1].” Reference: https://securityonline.info/cve-2023-0210-flaw-in-linux-kernel-allows-unauthenticated-remote-dos-attacks/ https://www.spinics.net/lists/stable-commits/msg282893.html(CVE-2023-0210) In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition.(CVE-2023-23559) There exists a use-after-free vulnerability in the Linux kernel through io_uring and the IORING_OP_SPLICE operation. If IORING_OP_SPLICE is missing the IO_WQ_WORK_FILES flag, which signals that the operation won't use current->nsproxy, so its reference counter is not increased. This assumption is not always true as calling io_splice on specific files will call the get_uts function which will use current->nsproxy leading to invalidly decreasing its reference counter later causing the use-after-free vulnerability. We recommend upgrading to version 5.10.160 or above(CVE-2022-4696) An update for kernel is now available for openEuler-22.03-LTS. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High kernel https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1056 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-20928 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-0210 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-23559 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-4696 https://nvd.nist.gov/vuln/detail/CVE-2023-20928 https://nvd.nist.gov/vuln/detail/CVE-2023-0210 https://nvd.nist.gov/vuln/detail/CVE-2023-23559 https://nvd.nist.gov/vuln/detail/CVE-2022-4696 openEuler-22.03-LTS kernel-tools-5.10.0-60.79.0.103.oe2203.aarch64.rpm kernel-5.10.0-60.79.0.103.oe2203.aarch64.rpm python3-perf-5.10.0-60.79.0.103.oe2203.aarch64.rpm python3-perf-debuginfo-5.10.0-60.79.0.103.oe2203.aarch64.rpm kernel-tools-devel-5.10.0-60.79.0.103.oe2203.aarch64.rpm perf-5.10.0-60.79.0.103.oe2203.aarch64.rpm bpftool-debuginfo-5.10.0-60.79.0.103.oe2203.aarch64.rpm kernel-debuginfo-5.10.0-60.79.0.103.oe2203.aarch64.rpm kernel-tools-debuginfo-5.10.0-60.79.0.103.oe2203.aarch64.rpm kernel-debugsource-5.10.0-60.79.0.103.oe2203.aarch64.rpm kernel-headers-5.10.0-60.79.0.103.oe2203.aarch64.rpm kernel-source-5.10.0-60.79.0.103.oe2203.aarch64.rpm bpftool-5.10.0-60.79.0.103.oe2203.aarch64.rpm kernel-devel-5.10.0-60.79.0.103.oe2203.aarch64.rpm perf-debuginfo-5.10.0-60.79.0.103.oe2203.aarch64.rpm kernel-5.10.0-60.79.0.103.oe2203.src.rpm python3-perf-5.10.0-60.79.0.103.oe2203.x86_64.rpm python3-perf-debuginfo-5.10.0-60.79.0.103.oe2203.x86_64.rpm bpftool-5.10.0-60.79.0.103.oe2203.x86_64.rpm perf-5.10.0-60.79.0.103.oe2203.x86_64.rpm kernel-tools-devel-5.10.0-60.79.0.103.oe2203.x86_64.rpm kernel-tools-debuginfo-5.10.0-60.79.0.103.oe2203.x86_64.rpm kernel-devel-5.10.0-60.79.0.103.oe2203.x86_64.rpm kernel-tools-5.10.0-60.79.0.103.oe2203.x86_64.rpm bpftool-debuginfo-5.10.0-60.79.0.103.oe2203.x86_64.rpm kernel-debugsource-5.10.0-60.79.0.103.oe2203.x86_64.rpm perf-debuginfo-5.10.0-60.79.0.103.oe2203.x86_64.rpm kernel-debuginfo-5.10.0-60.79.0.103.oe2203.x86_64.rpm kernel-headers-5.10.0-60.79.0.103.oe2203.x86_64.rpm kernel-source-5.10.0-60.79.0.103.oe2203.x86_64.rpm kernel-5.10.0-60.79.0.103.oe2203.x86_64.rpm In binder_vma_close of binder.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-254837884References: Upstream kernel 2023-02-03 CVE-2023-20928 openEuler-22.03-LTS High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H kernel security update 2023-02-03 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1056 A heap overflow bug in ksmbd_decode_ntlmssp_auth_blob in which nt_len can be less than CIFS_ENCPWD_SIZE. This results in a negative blen argument for ksmbd_auth_ntlmv2, where it calls memcpy using blen on memory allocated by kmalloc(blen + CIFS_CRYPTO_KEY_SIZE). Note that CIFS_ENCPWD_SIZE is 16 and CIFS_CRYPTO_KEY_SIZE is 8. We believe this bug can only result in a remote DOS and not privilege escalation nor RCE, as the heap overflow occurs when blen is in range (-8, -1].”Reference:https://securityonline.info/cve-2023-0210-flaw-in-linux-kernel-allows-unauthenticated-remote-dos-attacks/https://www.spinics.net/lists/stable-commits/msg282893.html 2023-02-03 CVE-2023-0210 openEuler-22.03-LTS Medium 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H kernel security update 2023-02-03 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1056 In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition. 2023-02-03 CVE-2023-23559 openEuler-22.03-LTS High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2023-02-03 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1056 There exists a use-after-free vulnerability in the Linux kernel through io_uring and the IORING_OP_SPLICE operation. If IORING_OP_SPLICE is missing the IO_WQ_WORK_FILES flag, which signals that the operation won t use current->nsproxy, so its reference counter is not increased. This assumption is not always true as calling io_splice on specific files will call the get_uts function which will use current->nsproxy leading to invalidly decreasing its reference counter later causing the use-after-free vulnerability. We recommend upgrading to version 5.10.160 or above 2023-02-03 CVE-2022-4696 openEuler-22.03-LTS High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2023-02-03 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1056