An update for kernel is now available for openEuler-22.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-1893 Final 1.0 1.0 2022-09-07 Initial 2022-09-07 2022-09-07 openEuler SA Tool V1.0 2022-09-07 kernel security update An update for kernel is now available for openEuler-22.03-LTS. Security Fix(es): An out-of-bounds read flaw was found in the Linux kernel’s TeleTYpe subsystem. The issue occurs in how a user triggers a race condition using ioctls TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC with leakage of memory in the flush_to_ldisc function. This flaw allows a local user to crash the system or read unauthorized random data from memory.(CVE-2022-1462) Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5(CVE-2022-2503) A race condition was found in the Linux kernel's watch queue due to a missing lock in pipe_resize_ring(). The specific flaw exists within the handling of pipe buffers. The issue results from the lack of proper locking when performing operations on an object. This flaw allows a local user to crash the system or escalate their privileges on the system.(CVE-2022-2959) A flaw was found in the kernels implementation of proxied virtualized TPM devices. On a system where virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after-free and create a situation where it may be possible to escalate privileges on the system. References: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9d8e7007dc7c4d7c8366739bbcd3f5e51dcd470f(CVE-2022-2977) The linux kernels driver for the "ASIX AX88179_178A based USB 2.0/3.0 Gigabit Ethernet Devices" contains multiple out-of-bounds reads and possible writes in the ax88179_rx_fixup() function. References: https://www.spinics.net/lists/stable/msg536418.html Upstream commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=57bc3d3ae8c14df3ceb4e17d26ddf9eeab304581(CVE-2022-2964) A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket.(CVE-2022-3028) An update for kernel is now available for openEuler-22.03-LTS. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High kernel https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1893 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-1462 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-2503 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-2959 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-2977 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-2964 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-3028 https://nvd.nist.gov/vuln/detail/CVE-2022-1462 https://nvd.nist.gov/vuln/detail/CVE-2022-2503 https://nvd.nist.gov/vuln/detail/CVE-2022-2959 https://nvd.nist.gov/vuln/detail/CVE-2022-2977 https://nvd.nist.gov/vuln/detail/CVE-2022-2964 https://nvd.nist.gov/vuln/detail/CVE-2022-3028 openEuler-22.03-LTS bpftool-5.10.0-60.54.0.82.oe2203.aarch64.rpm kernel-tools-devel-5.10.0-60.54.0.82.oe2203.aarch64.rpm kernel-tools-debuginfo-5.10.0-60.54.0.82.oe2203.aarch64.rpm kernel-5.10.0-60.54.0.82.oe2203.aarch64.rpm kernel-debugsource-5.10.0-60.54.0.82.oe2203.aarch64.rpm kernel-devel-5.10.0-60.54.0.82.oe2203.aarch64.rpm kernel-tools-5.10.0-60.54.0.82.oe2203.aarch64.rpm perf-debuginfo-5.10.0-60.54.0.82.oe2203.aarch64.rpm perf-5.10.0-60.54.0.82.oe2203.aarch64.rpm python3-perf-5.10.0-60.54.0.82.oe2203.aarch64.rpm kernel-source-5.10.0-60.54.0.82.oe2203.aarch64.rpm python3-perf-debuginfo-5.10.0-60.54.0.82.oe2203.aarch64.rpm bpftool-debuginfo-5.10.0-60.54.0.82.oe2203.aarch64.rpm kernel-headers-5.10.0-60.54.0.82.oe2203.aarch64.rpm kernel-debuginfo-5.10.0-60.54.0.82.oe2203.aarch64.rpm kernel-5.10.0-60.54.0.82.oe2203.src.rpm kernel-tools-devel-5.10.0-60.54.0.82.oe2203.x86_64.rpm kernel-tools-5.10.0-60.54.0.82.oe2203.x86_64.rpm perf-5.10.0-60.54.0.82.oe2203.x86_64.rpm kernel-debugsource-5.10.0-60.54.0.82.oe2203.x86_64.rpm kernel-debuginfo-5.10.0-60.54.0.82.oe2203.x86_64.rpm perf-debuginfo-5.10.0-60.54.0.82.oe2203.x86_64.rpm python3-perf-debuginfo-5.10.0-60.54.0.82.oe2203.x86_64.rpm kernel-tools-debuginfo-5.10.0-60.54.0.82.oe2203.x86_64.rpm bpftool-debuginfo-5.10.0-60.54.0.82.oe2203.x86_64.rpm kernel-5.10.0-60.54.0.82.oe2203.x86_64.rpm kernel-headers-5.10.0-60.54.0.82.oe2203.x86_64.rpm kernel-source-5.10.0-60.54.0.82.oe2203.x86_64.rpm kernel-devel-5.10.0-60.54.0.82.oe2203.x86_64.rpm bpftool-5.10.0-60.54.0.82.oe2203.x86_64.rpm python3-perf-5.10.0-60.54.0.82.oe2203.x86_64.rpm An out-of-bounds read flaw was found in the Linux kernel’s TeleTYpe subsystem. The issue occurs in how a user triggers a race condition using ioctls TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC with leakage of memory in the flush_to_ldisc function. This flaw allows a local user to crash the system or read unauthorized random data from memory. 2022-09-07 CVE-2022-1462 openEuler-22.03-LTS Medium 6.3 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H kernel security update 2022-09-07 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1893 Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5 2022-09-07 CVE-2022-2503 openEuler-22.03-LTS Medium 6.7 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-09-07 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1893 A race condition was found in the Linux kernel s watch queue due to a missing lock in pipe_resize_ring(). The specific flaw exists within the handling of pipe buffers. The issue results from the lack of proper locking when performing operations on an object. This flaw allows a local user to crash the system or escalate their privileges on the system. 2022-09-07 CVE-2022-2959 openEuler-22.03-LTS High 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-09-07 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1893 A flaw was found in the kernels implementation of proxied virtualized TPM devices. On a system where virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after-free and create a situation where it may be possible to escalate privileges on the system.References:https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9d8e7007dc7c4d7c8366739bbcd3f5e51dcd470f 2022-09-07 CVE-2022-2977 openEuler-22.03-LTS High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-09-07 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1893 The linux kernels driver for the ASIX AX88179_178A based USB 2.0/3.0 Gigabit Ethernet Devices contains multiple out-of-bounds reads and possible writes in the ax88179_rx_fixup() function. References:https://www.spinics.net/lists/stable/msg536418.htmlUpstream commit:https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=57bc3d3ae8c14df3ceb4e17d26ddf9eeab304581 2022-09-07 CVE-2022-2964 openEuler-22.03-LTS High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-09-07 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1893 A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. 2022-09-07 CVE-2022-3028 openEuler-22.03-LTS Medium 6.7 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-09-07 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1893