Mageia 2022-0442: kernel security update | LinuxSecurity.com
MGASA-2022-0442 - Updated kernel packages fix security vulnerabilities

Publication date: 27 Nov 2022
URL: https://advisories.mageia.org/MGASA-2022-0442.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2022-2602,
     CVE-2022-3524,
     CVE-2022-3535,
     CVE-2022-3542,
     CVE-2022-3543,
     CVE-2022-3564,
     CVE-2022-3565,
     CVE-2022-3594,
     CVE-2022-3619,
     CVE-2022-3623,
     CVE-2022-3628,
     CVE-2022-41849,
     CVE-2022-41850,
     CVE-2022-42895,
     CVE-2022-42896,
     CVE-2022-43945

This kernel update is based on upstream 5.15.79 and fixes at least the
following security issues:

A flaw was found in the Linux kernel. A race issue occurs between an
io_uring request and the Unix socket garbage collector, allowing an attacker
local privilege escalation (CVE-2022-2602).

A vulnerability was found in Linux Kernel. It has been declared as
problematic. Affected by this vulnerability is the function
ipv6_renew_options of the component IPv6 Handler. The manipulation leads
to memory leak. The attack can be launched remotely (CVE-2022-3524).

A vulnerability classified as problematic was found in Linux Kernel.
Affected by this vulnerability is the function mvpp2_dbgfs_port_init of
the file drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c of the
component mvpp2. The manipulation leads to memory leak (CVE-2022-3535).

A vulnerability classified as problematic was found in Linux Kernel. This
vulnerability affects the function bnx2x_tpa_stop of the file drivers/net/
ethernet/broadcom/bnx2x/bnx2x_cmn.c of the component BPF. The manipulation
leads to memory leak (CVE-2022-3542).

A vulnerability, which was classified as problematic, has been found in
Linux Kernel. This issue affects the function unix_sock_destructor/
unix_release_sock of the file net/unix/af_unix.c of the component BPF.
The manipulation leads to memory leak (CVE-2022-3543).

A vulnerability classified as critical was found in Linux Kernel. Affected
by this vulnerability is the function l2cap_reassemble_sdu of the file
net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation
leads to use after free (CVE-2022-3564).

A vulnerability, which was classified as critical, has been found in Linux
Kernel. Affected by this issue is the function del_timer of the file
drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation
leads to use after free (CVE-2022-3565).

A vulnerability was found in Linux Kernel. It has been declared as
problematic. Affected by this vulnerability is the function intr_callback
of the file drivers/net/usb/r8152.c of the component BPF. The manipulation
leads to logging of excessive data. The attack can be launched remotely
(CVE-2022-3594).

A vulnerability has been found in Linux Kernel and classified as
problematic. This vulnerability affects the function l2cap_recv_acldata
of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The
manipulation leads to memory leak (CVE-2022-3619).

A vulnerability was found in Linux Kernel. It has been declared as
problematic. Affected by this vulnerability is the function follow_page_pte
of the file mm/gup.c of the component BPF. The manipulation leads to race
condition (CVE-2022-3623).

An intra-object buffer overflow was found in brcmfmac, which can be
triggered by a malicious USB causing a Denial-of-Service (CVE-2022-3628).

drivers/video/fbdev/smscufx.c in the Linux kernel through 5.19.12 has a
race condition and resultant use-after-free if a physically proximate
attacker removes a USB device while calling open(), aka a race condition
between ufx_ops_open and ufx_usb_disconnect (CVE-2022-41849).

occat_report_event in drivers/hid/hid-roccat.c in the Linux kernel through
5.19.12 has a race condition and resultant use-after-free in certain
situations where a report is received while copying a report->value is
in progress (CVE-2022-41850).

There is an infoleak vulnerability in the Linux kernel's net/bluetooth/
l2cap_core.c's l2cap_parse_conf_req function which can be used to leak
kernel pointers remotely (CVE-2022-42895).

There are use-after-free vulnerabilities in the Linux kernel's 
net/bluetooth/l2cap_core.c's l2cap_connect and l2cap_le_connect_req
functions which may allow code execution and leaking kernel memory
(respectively) remotely via Bluetooth. A remote attacker could execute
code leaking kernel memory via Bluetooth if within proximity of the
victim (CVE-2022-42896).

The Linux kernel NFSD implementation prior to versions 5.19.17 and 6.0.2
are vulnerable to buffer overflow. NFSD tracks the number of pages held by
each NFSD thread by combining the receive and send buffers of a remote
procedure call (RPC) into a single array of pages. A client can force the
send buffer to shrink by sending an RPC message over TCP with garbage data
added at the end of the message. The RPC message with garbage data is still
correctly formed according to the specification and is passed forward to
handlers. Vulnerable code in NFSD is not expecting the oversized request
and writes beyond the allocated buffer space (CVE-2022-43945).

For other upstream fixes in this update, see the referenced changelogs.

References:
- https://bugs.mageia.org/show_bug.cgi?id=31148
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.75
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.76
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.77
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.78
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.79
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2602
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3524
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3535
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3542
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3543
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3564
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3565
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3594
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3619
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3623
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3628
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41849
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41850
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42895
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42896
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43945

SRPMS:
- 8/core/kernel-5.15.79-1.mga8
- 8/core/kmod-virtualbox-7.0.2-1.2.mga8
- 8/core/kmod-xtables-addons-3.21-1.7.mga8

Mageia 2022-0442: kernel security update

This kernel update is based on upstream 5.15.79 and fixes at least the following security issues: A flaw was found in the Linux kernel

Summary

This kernel update is based on upstream 5.15.79 and fixes at least the following security issues:
A flaw was found in the Linux kernel. A race issue occurs between an io_uring request and the Unix socket garbage collector, allowing an attacker local privilege escalation (CVE-2022-2602).
A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function ipv6_renew_options of the component IPv6 Handler. The manipulation leads to memory leak. The attack can be launched remotely (CVE-2022-3524).
A vulnerability classified as problematic was found in Linux Kernel. Affected by this vulnerability is the function mvpp2_dbgfs_port_init of the file drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c of the component mvpp2. The manipulation leads to memory leak (CVE-2022-3535).
A vulnerability classified as problematic was found in Linux Kernel. This vulnerability affects the function bnx2x_tpa_stop of the file drivers/net/ ethernet/broadcom/bnx2x/bnx2x_cmn.c of the component BPF. The manipulation leads to memory leak (CVE-2022-3542).
A vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects the function unix_sock_destructor/ unix_release_sock of the file net/unix/af_unix.c of the component BPF. The manipulation leads to memory leak (CVE-2022-3543).
A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free (CVE-2022-3564).
A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free (CVE-2022-3565).
A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The manipulation leads to logging of excessive data. The attack can be launched remotely (CVE-2022-3594).
A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to memory leak (CVE-2022-3619).
A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function follow_page_pte of the file mm/gup.c of the component BPF. The manipulation leads to race condition (CVE-2022-3623).
An intra-object buffer overflow was found in brcmfmac, which can be triggered by a malicious USB causing a Denial-of-Service (CVE-2022-3628).
drivers/video/fbdev/smscufx.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a USB device while calling open(), aka a race condition between ufx_ops_open and ufx_usb_disconnect (CVE-2022-41849).
occat_report_event in drivers/hid/hid-roccat.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free in certain situations where a report is received while copying a report->value is in progress (CVE-2022-41850).
There is an infoleak vulnerability in the Linux kernel's net/bluetooth/ l2cap_core.c's l2cap_parse_conf_req function which can be used to leak kernel pointers remotely (CVE-2022-42895).
There are use-after-free vulnerabilities in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_connect and l2cap_le_connect_req functions which may allow code execution and leaking kernel memory (respectively) remotely via Bluetooth. A remote attacker could execute code leaking kernel memory via Bluetooth if within proximity of the victim (CVE-2022-42896).
The Linux kernel NFSD implementation prior to versions 5.19.17 and 6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of pages held by each NFSD thread by combining the receive and send buffers of a remote procedure call (RPC) into a single array of pages. A client can force the send buffer to shrink by sending an RPC message over TCP with garbage data added at the end of the message. The RPC message with garbage data is still correctly formed according to the specification and is passed forward to handlers. Vulnerable code in NFSD is not expecting the oversized request and writes beyond the allocated buffer space (CVE-2022-43945).
For other upstream fixes in this update, see the referenced changelogs.

References

- https://bugs.mageia.org/show_bug.cgi?id=31148

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.75

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.76

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.77

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.78

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.79

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2602

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3524

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3535

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3542

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3543

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3564

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3565

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3594

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3619

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3623

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3628

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41849

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41850

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42895

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42896

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43945

Resolution

MGASA-2022-0442 - Updated kernel packages fix security vulnerabilities

SRPMS

- 8/core/kernel-5.15.79-1.mga8

- 8/core/kmod-virtualbox-7.0.2-1.2.mga8

- 8/core/kmod-xtables-addons-3.21-1.7.mga8

Severity
Publication date: 27 Nov 2022
URL: https://advisories.mageia.org/MGASA-2022-0442.html
Type: security
CVE: CVE-2022-2602, CVE-2022-3524, CVE-2022-3535, CVE-2022-3542, CVE-2022-3543, CVE-2022-3564, CVE-2022-3565, CVE-2022-3594, CVE-2022-3619, CVE-2022-3623, CVE-2022-3628, CVE-2022-41849, CVE-2022-41850, CVE-2022-42895, CVE-2022-42896, CVE-2022-43945

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.