An update for kernel is now available for openEuler-22.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1188 Final 1.0 1.0 2023-03-31 Initial 2023-03-31 2023-03-31 openEuler SA Tool V1.0 2023-03-31 kernel security update An update for kernel is now available for openEuler-22.03-LTS. The Linux Kernel, the operating system core itself. Security Fix(es): When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure.(CVE-2022-27672) A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.(CVE-2023-1079) In the Linux kernel before 5.19, drivers/gpu/drm/arm/malidp_planes.c misinterprets the get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer).(CVE-2023-23004) A use-after-free flaw was found in the Linux kernel’s core dump subsystem. This flaw allows a local user to crash the system. Only if patch 390031c94211 ("coredump: Use the vma snapshot in fill_files_note") not applied yet, then kernel could be affected.(CVE-2023-1249) Kernel: denial of service in tipc_conn_close(CVE-2023-1382) do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference).(CVE-2023-28466) In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur.(CVE-2022-48424) In the Linux kernel before 6.1.3, fs/ntfs3/record.c does not validate resident attribute names. An out-of-bounds write may occur.(CVE-2022-48423) In the Linux kernel through 6.2.7, fs/ntfs3/inode.c has an invalid kfree because it does not validate MFT flags before replaying logs.(CVE-2022-48425) Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2.(CVE-2023-1281) In the Linux kernel before 5.16.3, drivers/usb/dwc3/dwc3-qcom.c misinterprets the dwc3_qcom_create_urs_usb_platdev return value (expects it to be NULL in the error case, whereas it is actually an error pointer).(CVE-2023-22999) An update for kernel is now available for openEuler-22.03-LTS. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High kernel https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1188 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-27672 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-1079 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-23004 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-1249 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-1382 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-28466 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-48424 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-48423 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-48425 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-1281 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-22999 https://nvd.nist.gov/vuln/detail/CVE-2022-27672 https://nvd.nist.gov/vuln/detail/CVE-2023-1079 https://nvd.nist.gov/vuln/detail/CVE-2023-23004 https://nvd.nist.gov/vuln/detail/CVE-2023-1249 https://nvd.nist.gov/vuln/detail/CVE-2023-1382 https://nvd.nist.gov/vuln/detail/CVE-2023-28466 https://nvd.nist.gov/vuln/detail/CVE-2022-48424 https://nvd.nist.gov/vuln/detail/CVE-2022-48423 https://nvd.nist.gov/vuln/detail/CVE-2022-48425 https://nvd.nist.gov/vuln/detail/CVE-2023-1281 https://nvd.nist.gov/vuln/detail/CVE-2023-22999 openEuler-22.03-LTS bpftool-5.10.0-60.87.0.111.oe2203.aarch64.rpm kernel-tools-devel-5.10.0-60.87.0.111.oe2203.aarch64.rpm kernel-devel-5.10.0-60.87.0.111.oe2203.aarch64.rpm perf-debuginfo-5.10.0-60.87.0.111.oe2203.aarch64.rpm kernel-headers-5.10.0-60.87.0.111.oe2203.aarch64.rpm kernel-5.10.0-60.87.0.111.oe2203.aarch64.rpm perf-5.10.0-60.87.0.111.oe2203.aarch64.rpm python3-perf-5.10.0-60.87.0.111.oe2203.aarch64.rpm kernel-debuginfo-5.10.0-60.87.0.111.oe2203.aarch64.rpm python3-perf-debuginfo-5.10.0-60.87.0.111.oe2203.aarch64.rpm kernel-tools-5.10.0-60.87.0.111.oe2203.aarch64.rpm kernel-source-5.10.0-60.87.0.111.oe2203.aarch64.rpm bpftool-debuginfo-5.10.0-60.87.0.111.oe2203.aarch64.rpm kernel-tools-debuginfo-5.10.0-60.87.0.111.oe2203.aarch64.rpm kernel-debugsource-5.10.0-60.87.0.111.oe2203.aarch64.rpm kernel-5.10.0-60.87.0.111.oe2203.src.rpm kernel-tools-debuginfo-5.10.0-60.87.0.111.oe2203.x86_64.rpm python3-perf-debuginfo-5.10.0-60.87.0.111.oe2203.x86_64.rpm perf-debuginfo-5.10.0-60.87.0.111.oe2203.x86_64.rpm python3-perf-5.10.0-60.87.0.111.oe2203.x86_64.rpm kernel-debugsource-5.10.0-60.87.0.111.oe2203.x86_64.rpm kernel-tools-5.10.0-60.87.0.111.oe2203.x86_64.rpm kernel-debuginfo-5.10.0-60.87.0.111.oe2203.x86_64.rpm bpftool-5.10.0-60.87.0.111.oe2203.x86_64.rpm kernel-devel-5.10.0-60.87.0.111.oe2203.x86_64.rpm kernel-headers-5.10.0-60.87.0.111.oe2203.x86_64.rpm kernel-source-5.10.0-60.87.0.111.oe2203.x86_64.rpm bpftool-debuginfo-5.10.0-60.87.0.111.oe2203.x86_64.rpm perf-5.10.0-60.87.0.111.oe2203.x86_64.rpm kernel-5.10.0-60.87.0.111.oe2203.x86_64.rpm kernel-tools-devel-5.10.0-60.87.0.111.oe2203.x86_64.rpm When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. 2023-03-31 CVE-2022-27672 openEuler-22.03-LTS Medium 4.7 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N kernel security update 2023-03-31 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1188 A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data. 2023-03-31 CVE-2023-1079 openEuler-22.03-LTS Medium 6.8 AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H kernel security update 2023-03-31 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1188 In the Linux kernel before 5.19, drivers/gpu/drm/arm/malidp_planes.c misinterprets the get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer). 2023-03-31 CVE-2023-23004 openEuler-22.03-LTS Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2023-03-31 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1188 A use-after-free flaw was found in the Linux kernel’s core dump subsystem. This flaw allows a local user to crash the system. Only if patch 390031c94211 ("coredump: Use the vma snapshot in fill_files_note") not applied yet, then kernel could be affected. 2023-03-31 CVE-2023-1249 openEuler-22.03-LTS Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2023-03-31 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1188 Kernel: denial of service in tipc_conn_close 2023-03-31 CVE-2023-1382 openEuler-22.03-LTS Low 0.0 kernel security update 2023-03-31 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1188 do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference). 2023-03-31 CVE-2023-28466 openEuler-22.03-LTS High 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2023-03-31 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1188 In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur. 2023-03-31 CVE-2022-48424 openEuler-22.03-LTS High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2023-03-31 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1188 In the Linux kernel before 6.1.3, fs/ntfs3/record.c does not validate resident attribute names. An out-of-bounds write may occur. 2023-03-31 CVE-2022-48423 openEuler-22.03-LTS High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2023-03-31 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1188 In the Linux kernel through 6.2.7, fs/ntfs3/inode.c has an invalid kfree because it does not validate MFT flags before replaying logs. 2023-03-31 CVE-2022-48425 openEuler-22.03-LTS High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2023-03-31 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1188 Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when tcf_exts_exec() is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2. 2023-03-31 CVE-2023-1281 openEuler-22.03-LTS High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2023-03-31 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1188 In the Linux kernel before 5.16.3, drivers/usb/dwc3/dwc3-qcom.c misinterprets the dwc3_qcom_create_urs_usb_platdev return value (expects it to be NULL in the error case, whereas it is actually an error pointer). 2023-03-31 CVE-2023-22999 openEuler-22.03-LTS Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2023-03-31 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1188