An update for kernel is now available for openEuler-20.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1779 Final 1.0 1.0 2023-11-03 Initial 2023-11-03 2023-11-03 openEuler SA Tool V1.0 2023-11-03 kernel security update An update for kernel is now available for openEuler-20.03-LTS-SP1. The Linux Kernel, the operating system core itself. Security Fix(es): An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4040_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cm4040_open() and reader_detach().(CVE-2022-44033) An issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur is there is a disconnect after an open, because of the lack of a wait_event.(CVE-2022-45919) An issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2. In hci_uart_tty_ioctl, there is a race condition between HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before hu->proto is set. A NULL pointer dereference may occur.(CVE-2023-31083) An issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel 6.2. There is a divide-by-zero error in do_div(sz,mtd->erasesize), used indirectly by ctrl_cdev_ioctl, when mtd->erasesize is 0.(CVE-2023-31085) Closing of an event channel in the Linux kernel can result in a deadlock. This happens when the close is being performed in parallel to an unrelated Xen console action and the handling of a Xen console interrupt in an unprivileged guest. The closing of an event channel is e.g. triggered by removal of a paravirtual device on the other side. As this action will cause console messages to be issued on the other side quite often, the chance of triggering the deadlock is not neglectable. A (malicious) guest administrator could cause a denial of service (DoS) in a backend domain (other than dom0) by disabling a paravirtualized device. A malicious backend could cause DoS in a guest running a Linux kernel by disabling a paravirtualized device.(CVE-2023-34324) A flaw was found in the XFRM subsystem in the Linux kernel. The specific flaw exists within the processing of state filters, which can result in a read past the end of an allocated buffer. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, potentially leading to an information disclosure.(CVE-2023-39194) An issue was discovered in lib/kobject.c in the Linux kernel before 6.2.3. With root access, an attacker can trigger a race condition that results in a fill_kobj_path out-of-bounds write.(CVE-2023-45863) A heap out-of-bounds write vulnerability in the Linux kernel's Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation. If perf_read_group() is called while an event's sibling_list is smaller than its child's sibling_list, it can increment or write to memory locations outside of the allocated buffer. We recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06. (CVE-2023-5717) An update for kernel is now available for openEuler-20.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High kernel https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1779 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-44033 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-45919 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-31083 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-31085 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-34324 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-39194 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-45863 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-5717 https://nvd.nist.gov/vuln/detail/CVE-2022-44033 https://nvd.nist.gov/vuln/detail/CVE-2022-45919 https://nvd.nist.gov/vuln/detail/CVE-2023-31083 https://nvd.nist.gov/vuln/detail/CVE-2023-31085 https://nvd.nist.gov/vuln/detail/CVE-2023-34324 https://nvd.nist.gov/vuln/detail/CVE-2023-39194 https://nvd.nist.gov/vuln/detail/CVE-2023-45863 https://nvd.nist.gov/vuln/detail/CVE-2023-5717 openEuler-20.03-LTS-SP1 python2-perf-debuginfo-4.19.90-2311.1.0.0224.oe1.aarch64.rpm perf-4.19.90-2311.1.0.0224.oe1.aarch64.rpm bpftool-4.19.90-2311.1.0.0224.oe1.aarch64.rpm kernel-tools-4.19.90-2311.1.0.0224.oe1.aarch64.rpm kernel-source-4.19.90-2311.1.0.0224.oe1.aarch64.rpm python2-perf-4.19.90-2311.1.0.0224.oe1.aarch64.rpm kernel-debuginfo-4.19.90-2311.1.0.0224.oe1.aarch64.rpm kernel-4.19.90-2311.1.0.0224.oe1.aarch64.rpm kernel-debugsource-4.19.90-2311.1.0.0224.oe1.aarch64.rpm bpftool-debuginfo-4.19.90-2311.1.0.0224.oe1.aarch64.rpm python3-perf-4.19.90-2311.1.0.0224.oe1.aarch64.rpm kernel-tools-debuginfo-4.19.90-2311.1.0.0224.oe1.aarch64.rpm perf-debuginfo-4.19.90-2311.1.0.0224.oe1.aarch64.rpm python3-perf-debuginfo-4.19.90-2311.1.0.0224.oe1.aarch64.rpm kernel-devel-4.19.90-2311.1.0.0224.oe1.aarch64.rpm kernel-tools-devel-4.19.90-2311.1.0.0224.oe1.aarch64.rpm kernel-4.19.90-2311.1.0.0224.oe1.src.rpm python3-perf-4.19.90-2311.1.0.0224.oe1.x86_64.rpm kernel-tools-4.19.90-2311.1.0.0224.oe1.x86_64.rpm bpftool-4.19.90-2311.1.0.0224.oe1.x86_64.rpm perf-4.19.90-2311.1.0.0224.oe1.x86_64.rpm python3-perf-debuginfo-4.19.90-2311.1.0.0224.oe1.x86_64.rpm kernel-4.19.90-2311.1.0.0224.oe1.x86_64.rpm python2-perf-4.19.90-2311.1.0.0224.oe1.x86_64.rpm perf-debuginfo-4.19.90-2311.1.0.0224.oe1.x86_64.rpm kernel-tools-devel-4.19.90-2311.1.0.0224.oe1.x86_64.rpm kernel-source-4.19.90-2311.1.0.0224.oe1.x86_64.rpm kernel-debuginfo-4.19.90-2311.1.0.0224.oe1.x86_64.rpm kernel-debugsource-4.19.90-2311.1.0.0224.oe1.x86_64.rpm bpftool-debuginfo-4.19.90-2311.1.0.0224.oe1.x86_64.rpm python2-perf-debuginfo-4.19.90-2311.1.0.0224.oe1.x86_64.rpm kernel-devel-4.19.90-2311.1.0.0224.oe1.x86_64.rpm kernel-tools-debuginfo-4.19.90-2311.1.0.0224.oe1.x86_64.rpm An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4040_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cm4040_open() and reader_detach(). 2023-11-03 CVE-2022-44033 openEuler-20.03-LTS-SP1 Medium 6.4 AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H kernel security update 2023-11-03 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1779 An issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur is there is a disconnect after an open, because of the lack of a wait_event. 2023-11-03 CVE-2022-45919 openEuler-20.03-LTS-SP1 High 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2023-11-03 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1779 An issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2. In hci_uart_tty_ioctl, there is a race condition between HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before hu->proto is set. A NULL pointer dereference may occur. 2023-11-03 CVE-2023-31083 openEuler-20.03-LTS-SP1 Medium 4.7 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2023-11-03 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1779 An issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel 6.2. There is a divide-by-zero error in do_div(sz,mtd->erasesize), used indirectly by ctrl_cdev_ioctl, when mtd->erasesize is 0. 2023-11-03 CVE-2023-31085 openEuler-20.03-LTS-SP1 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2023-11-03 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1779 Closing of an event channel in the Linux kernel can result in a deadlock. This happens when the close is being performed in parallel to an unrelated Xen console action and the handling of a Xen console interrupt in an unprivileged guest. The closing of an event channel is e.g. triggered by removal of a paravirtual device on the other side. As this action will cause console messages to be issued on the other side quite often, the chance of triggering the deadlock is not neglectable.A (malicious) guest administrator could cause a denial of service (DoS) in a backend domain (other than dom0) by disabling a paravirtualized device. A malicious backend could cause DoS in a guest running a Linux kernel by disabling a paravirtualized device. 2023-11-03 CVE-2023-34324 openEuler-20.03-LTS-SP1 Medium 5.7 AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2023-11-03 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1779 A flaw was found in the XFRM subsystem in the Linux kernel. The specific flaw exists within the processing of state filters, which can result in a read past the end of an allocated buffer. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, potentially leading to an information disclosure. 2023-11-03 CVE-2023-39194 openEuler-20.03-LTS-SP1 Medium 4.4 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N kernel security update 2023-11-03 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1779 An issue was discovered in lib/kobject.c in the Linux kernel before 6.2.3. With root access, an attacker can trigger a race condition that results in a fill_kobj_path out-of-bounds write. 2023-11-03 CVE-2023-45863 openEuler-20.03-LTS-SP1 Medium 6.4 AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H kernel security update 2023-11-03 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1779 A heap out-of-bounds write vulnerability in the Linux kernel s Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation.If perf_read_group() is called while an event s sibling_list is smaller than its child s sibling_list, it can increment or write to memory locations outside of the allocated buffer.We recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06. 2023-11-03 CVE-2023-5717 openEuler-20.03-LTS-SP1 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2023-11-03 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1779