CVE Status: Difference between revisions

From Yocto Project
Jump to navigationJump to search
(Update with new/removed CVEs cw 06/24)
 
(19 intermediate revisions by the same user not shown)
Line 12: Line 12:


Issue with suid binaries and coredumps. Last known progress on mitigating was [https://lore.kernel.org/lkml/CAAq0SUmw3fGtwDifbBMrD7jgPBGQb7uC0K9hJetVTRQO7boPtA@mail.gmail.com/t/#u this thread].
Issue with suid binaries and coredumps. Last known progress on mitigating was [https://lore.kernel.org/lkml/CAAq0SUmw3fGtwDifbBMrD7jgPBGQb7uC0K9hJetVTRQO7boPtA@mail.gmail.com/t/#u this thread].
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0400 CVE-2022-0400] (linux-yocto) ===


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 CVE-2022-3219] (gnupg) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 CVE-2022-3219] (gnupg) ===
Line 39: Line 41:
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0687 CVE-2023-0687] (glibc) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0687 CVE-2023-0687] (glibc) ===


Bad CPE, should be marked as fixed in 2.38. Emailed NIST, data not updated yet.
Bad CPE, should be marked as fixed in 2.38. Emailed NIST, data not updated yet.  NVD pinged 12/02/2024.


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1386 CVE-2023-1386] (qemu) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1386 CVE-2023-1386] (qemu) ===


Still [https://github.com/v9fs/linux/issues/29 open upstream].
Still [https://github.com/v9fs/linux/issues/29 open upstream].
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3019 CVE-2023-3019] (qemu) ===
Fixed in 8.2.0 with 9050f976e447444ea6ee2ba12c9f77e4b0dc54bc. NVD pinged 06/02/2024.
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3164 CVE-2023-3164] (tiff) ===
Upstream issue https://gitlab.com/libtiff/libtiff/-/issues/542 closed as "wontfix-unmaintained"
Only affect the tiffcrop tool not compiled by default since 4.6.0 (OE-Core = 4.6.0).
NVD pinged 06/02/2024.
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3180 CVE-2023-3180] (qemu) ===
[https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980 Fixed] in 8.1.0.


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3354 CVE-2023-3354] (qemu) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3354 CVE-2023-3354] (qemu) ===
Line 86: Line 74:


[https://gitlab.com/qemu-project/qemu/-/commit/ecb1b7b082d3b7dceff0e486a114502fc52c0fdf Fixed] in 8.1.0.
[https://gitlab.com/qemu-project/qemu/-/commit/ecb1b7b082d3b7dceff0e486a114502fc52c0fdf Fixed] in 8.1.0.
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-37769 CVE-2023-37769] (pixman) ===
Appears to be a floating point exception in a test, should verify that the crash is in the test code and not the library. [https://gitlab.freedesktop.org/pixman/pixman/-/issues/76 This ticket] has the details.


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-40360 CVE-2023-40360] (qemu) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-40360 CVE-2023-40360] (qemu) ===
Line 102: Line 86:


Fixed upstream. LKC https://github.com/nluedtke/linux_kernel_cves/issues/347.
Fixed upstream. LKC https://github.com/nluedtke/linux_kernel_cves/issues/347.
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-5088 CVE-2023-5088] (qemu) ===
Fix merged https://github.com/qemu/qemu/commit/7d7512019fc40c577e2bdd61f114f31a9eb84a8e
Present in >=8.2.0 (OE-core qemu = 8.2.1)
NVD pinged 06/02/2024
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4692 CVE-2023-4692] (grub) ===
(in NTFS support) : Fix merged : e58b870ff926415e23fc386af41ff81b2f588763 + 6 parents , released in 2.12
OE-Core grub = 2.12
NVD pinged 06/02/2024
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4693 CVE-2023-4693] (grub:grub-efi:grub-native) ===
(in NTFS support) : Fix merged : e58b870ff926415e23fc386af41ff81b2f588763 + 6 parents , released in 2.12
OE-Core grub = 2.12
NVD pinged 06/02/2024
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6683 CVE-2023-6683] (qemu) ===
Patch posted : [https://lists.nongnu.org/archive/html/qemu-devel/2024-01/msg02382.html ui/clipboard: avoid crash upon request when clipboard peer is no] not merged yet
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6693 CVE-2023-6693] (qemu) ===
Backported upstream 939a09575fff7048446e36ce438fa7be6e251d41 in v8.2.1. CPE change request sent to NVD 07/02/2024
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-25584 CVE-2023-25584] (binutils) ===
Merged fix in https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=77c225bdeb410cf60da804879ad41622f5f1aa44. Present in binutils >=2.40
NVD pinged 06/02/2024
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38559 CVE-2023-38559] (ghostscript) ===
Fix https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1
Present in >= 10.02.0 (OE-core ghostscript = 10.02.1)
NVD pinged 06/02/2024


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42363 CVE-2023-42363] (busybox) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42363 CVE-2023-42363] (busybox) ===
Line 155: Line 102:


Patch available (not merged yet) : [https://bugs.busybox.net/attachment.cgi?id=9697&action=edit Attachment 9697 Details for Bug 15874 – PATCH awk.c: fix CVE-2023-42366 (bug #15874)]
Patch available (not merged yet) : [https://bugs.busybox.net/attachment.cgi?id=9697&action=edit Attachment 9697 Details for Bug 15874 – PATCH awk.c: fix CVE-2023-42366 (bug #15874)]
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-48795 CVE-2023-48795] (openssh) ===
Fix WIP : https://lists.openembedded.org/g/openembedded-core/topic/103546397#193372
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51384 CVE-2023-51384] (openssh) ===
Fix WIP : https://lists.openembedded.org/g/openembedded-core/topic/103546397#193372
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51385 CVE-2023-51385] (openssh) ===
Fix WIP : https://lists.openembedded.org/g/openembedded-core/topic/103546397#193372


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51767 CVE-2023-51767] (openssh) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51767 CVE-2023-51767] (openssh) ===
Line 173: Line 108:
Upstream bug : https://bugzilla.mindrot.org/show_bug.cgi?id=3656 (still open, no patch)
Upstream bug : https://bugzilla.mindrot.org/show_bug.cgi?id=3656 (still open, no patch)
Real-world impacts seem quite low
Real-world impacts seem quite low
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6780 CVE-2023-6780] (glibc) ===
Fixed in 2.39 already wrong cpe


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21803 CVE-2023-21803] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21803 CVE-2023-21803] (linux-yocto) ===
Line 188: Line 120:


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24864 CVE-2023-25864] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24864 CVE-2023-25864] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6240 CVE-2023-6240] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6356 CVE-2023-6356] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6535 CVE-2023-6535] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6536 CVE-2023-6536] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7216 CVE-2023-7216] (cpio) ===
Open upstream, disputed by maintainer see https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25739 CVE-2024-25739] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25740 CVE-2024-25740] (linux-yocto) ===


<!--
<!--

Latest revision as of 11:29, 10 March 2024

This is a list of CVEs which are currently being reported as open, and the current state.

CVE-2019-14899 (linux-yocto)

Claims to be about breaking into VPN tunnels. OpenVPN dispute, Red Hat think it might actually have a larger scope but also the paper is misleading.

CVE-2021-3714 (linux-yocto)

Flaw in kernel memory de-duplication. Still an issue, albeit minor.

CVE-2021-3864 (linux-yocto)

Issue with suid binaries and coredumps. Last known progress on mitigating was this thread.

CVE-2022-0400 (linux-yocto)

CVE-2022-3219 (gnupg)

Hypothetical DoS. A patch was proposed but hasn't been reviewed or merged.

CVE-2022-0400 (linux-yocto)

Out-of-bounds read in the SMC stack. Details are still embargoed so can't tell what this actually impacts.

CVE-2022-1247 (linux-yocto)

Race in the X.25 AF_ROSE implementation, so only an issue if CONFIG_ROSE is enabled.

CVE-2022-4543 (linux-yocto)

aka EntryBleed. Vulnerable on x86-64 systems.

CVE-2022-38096 (linux-yocto)

Bug in vmwgfx driver, still open. Mitigated if CONFIG_DRM_VMWGFX is not enabled.

CVE-2022-46456 (nasm)

Buffer overflow, still open upstream.

CVE-2023-0687 (glibc)

Bad CPE, should be marked as fixed in 2.38. Emailed NIST, data not updated yet. NVD pinged 12/02/2024.

CVE-2023-1386 (qemu)

Still open upstream.

CVE-2023-3354 (qemu)

Fixed in 8.1.0.

CVE-2023-3640 (linux-yocto)

CPU-level address leak specific to x86, still an issue.

CVE-2023-3772 (linux-yocto)

Merged in 00374d9b6d9f932802b55181be9831aa948e5b7c, needs backport.

CVE-2023-3773 (linux-yocto)

Merged in 5e2424708da7207087934c5c75211e8584d553a0, needs backport.

CVE-2023-4010 (linux-yocto)

Hang in USB subsystem. No fix yet.

CVE-2023-4128 (linux-yocto)

Merged in 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81, needs backporting.

CVE-2023-4135 (qemu)

Fixed in 8.1.0.

CVE-2023-40360 (qemu)

Fixed in 8.1.0.

CVE-2023-4569 (linux-yocto)

Fixed upstream. LKC https://github.com/nluedtke/linux_kernel_cves/issues/346.

CVE-2023-4611 (linux-yocto)

Fixed upstream. LKC https://github.com/nluedtke/linux_kernel_cves/issues/347.

CVE-2023-42363 (busybox)

Upstream bug still open https://bugs.busybox.net/show_bug.cgi?id=15865"

CVE-2023-42364 (busybox)

Upstream bug still open https://bugs.busybox.net/show_bug.cgi?id=15868"

CVE-2023-42365 (busybox)

Upstream bug still open https://bugs.busybox.net/show_bug.cgi?id=15871 "

CVE-2023-42366 (busybox)

Patch available (not merged yet) : Attachment 9697 Details for Bug 15874 – PATCH awk.c: fix CVE-2023-42366 (bug #15874)

CVE-2023-51767 (openssh)

"openssh: authentication bypass via row hammer attack" Upstream bug : https://bugzilla.mindrot.org/show_bug.cgi?id=3656 (still open, no patch) Real-world impacts seem quite low

CVE-2023-21803 (linux-yocto)

CVE-2023-24857 (linux-yocto)

CVE-2023-24858 (linux-yocto)

CVE-2023-24859 (linux-yocto)

CVE-2023-24861 (linux-yocto)

CVE-2023-25864 (linux-yocto)

CVE-2023-6240 (linux-yocto)

CVE-2023-6356 (linux-yocto)

CVE-2023-6535 (linux-yocto)

CVE-2023-6536 (linux-yocto)

CVE-2023-7216 (cpio)

Open upstream, disputed by maintainer see https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html

CVE-2024-25739 (linux-yocto)

CVE-2024-25740 (linux-yocto)