CVE Status: Difference between revisions

From Yocto Project
Jump to navigationJump to search
mNo edit summary
 
(47 intermediate revisions by 3 users not shown)
Line 1: Line 1:
This is a list of CVEs which are currently being reported as open, and the current state.
This is a list of CVEs which are currently being reported as open, and the current state.
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 CVE-2019-14899] (linux-yocto) ===
Claims to be about breaking into VPN tunnels. OpenVPN dispute, Red Hat think it might actually have a larger scope but also the paper is misleading.
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3714 CVE-2021-3714] (linux-yocto) ===
Flaw in kernel memory de-duplication. Still an issue, albeit minor.
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3864 CVE-2021-3864] (linux-yocto) ===
Issue with suid binaries and coredumps. Last known progress on mitigating was [https://lore.kernel.org/lkml/CAAq0SUmw3fGtwDifbBMrD7jgPBGQb7uC0K9hJetVTRQO7boPtA@mail.gmail.com/t/#u this thread].
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0400 CVE-2022-0400] (linux-yocto) ===


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 CVE-2022-3219] (gnupg) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 CVE-2022-3219] (gnupg) ===
Line 5: Line 19:
Hypothetical DoS. A patch [https://dev.gnupg.org/D556 was proposed] but hasn't been reviewed or merged.
Hypothetical DoS. A patch [https://dev.gnupg.org/D556 was proposed] but hasn't been reviewed or merged.


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-33065 CVE-2022-33065] (libsndfile1) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0400 CVE-2022-0400] (linux-yocto) ===
 
Out-of-bounds read in the SMC stack. Details are still embargoed so can't tell what this actually impacts.
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1247 CVE-2022-1247] (linux-yocto) ===
 
Race in the X.25 AF_ROSE implementation, so only an issue if <tt>CONFIG_ROSE</tt> is enabled.
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4543 CVE-2022-4543] (linux-yocto) ===


Integer overflow, [https://github.com/libsndfile/libsndfile/issues/789 still open upstream].
aka EntryBleed. Vulnerable on x86-64 systems.
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38096 CVE-2022-38096] (linux-yocto) ===
 
Bug in vmwgfx driver, still open. Mitigated if CONFIG_DRM_VMWGFX is not enabled.


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46456 CVE-2022-46456] (nasm) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46456 CVE-2022-46456] (nasm) ===
Line 15: Line 41:
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0687 CVE-2023-0687] (glibc) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0687 CVE-2023-0687] (glibc) ===


Bad CPE, should be marked as fixed in 2.38. Emailed NIST, data not updated yet.
Bad CPE, should be marked as fixed in 2.38. Emailed NIST, data not updated yet.  NVD pinged 12/02/2024.


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-37769 CVE-2023-37769] (pixman) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1386 CVE-2023-1386] (qemu) ===
 
Still [https://github.com/v9fs/linux/issues/29 open upstream].
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3354 CVE-2023-3354] (qemu) ===
 
[https://gitlab.com/qemu-project/qemu/-/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4 Fixed] in 8.1.0.
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3640 CVE-2023-3640] (linux-yocto) ===
 
CPU-level address leak specific to x86, still an issue.
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3772 CVE-2023-3772] (linux-yocto) ===


Appears to be a floating point exception in a test, should verify that the crash is in the test code and not the library. [https://gitlab.freedesktop.org/pixman/pixman/-/issues/76 This ticket] has the details.
Merged in 00374d9b6d9f932802b55181be9831aa948e5b7c, needs backport.


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1386 CVE-2023-1386] (qemu) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3773 CVE-2023-3773] (linux-yocto) ===


Still [https://github.com/v9fs/linux/issues/29 open upstream].
Merged in 5e2424708da7207087934c5c75211e8584d553a0, needs backport.


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3019 CVE-2023-3019] (qemu) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4010 CVE-2023-4010] (linux-yocto) ===


Linked patches need rebasing and review.
Hang in USB subsystem. No fix yet.


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3180 CVE-2023-3180] (qemu) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4128 CVE-2023-4128] (linux-yocto) ===


[https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980 Fixed] in 8.1.0.
Merged in 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81, needs backporting.


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3354 CVE-2023-3354] (qemu) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4135 CVE-2023-4135] (qemu) ===


[https://gitlab.com/qemu-project/qemu/-/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4 Fixed] in 8.1.0.
[https://gitlab.com/qemu-project/qemu/-/commit/ecb1b7b082d3b7dceff0e486a114502fc52c0fdf Fixed] in 8.1.0.


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-40360 CVE-2023-40360] (qemu) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-40360 CVE-2023-40360] (qemu) ===
Line 41: Line 79:
[https://gitlab.com/qemu-project/qemu/-/commit/6c8f8456cb0b239812dee5211881426496da7b98 Fixed] in 8.1.0.
[https://gitlab.com/qemu-project/qemu/-/commit/6c8f8456cb0b239812dee5211881426496da7b98 Fixed] in 8.1.0.


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4135 CVE-2023-4135] (qemu) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4569 CVE-2023-4569] (linux-yocto) ===
 
Fixed upstream. LKC https://github.com/nluedtke/linux_kernel_cves/issues/346.
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4611 CVE-2023-4611] (linux-yocto) ===
 
Fixed upstream. LKC https://github.com/nluedtke/linux_kernel_cves/issues/347.
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42363 CVE-2023-42363] (busybox) ===
 
Upstream bug still open https://bugs.busybox.net/show_bug.cgi?id=15865"
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42364 CVE-2023-42364] (busybox) ===
 
Upstream bug still open https://bugs.busybox.net/show_bug.cgi?id=15868"
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42365 CVE-2023-42365] (busybox) ===
 
Upstream bug still open https://bugs.busybox.net/show_bug.cgi?id=15871 "
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42366 CVE-2023-42366] (busybox) ===
 
Patch available (not merged yet) : [https://bugs.busybox.net/attachment.cgi?id=9697&action=edit Attachment 9697 Details for Bug 15874 – PATCH awk.c: fix CVE-2023-42366 (bug #15874)]
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51767 CVE-2023-51767] (openssh) ===
 
"openssh: authentication bypass via row hammer attack"
Upstream bug : https://bugzilla.mindrot.org/show_bug.cgi?id=3656 (still open, no patch)
Real-world impacts seem quite low
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21803 CVE-2023-21803] (linux-yocto) ===
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24857 CVE-2023-24857] (linux-yocto) ===
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24858 CVE-2023-24858] (linux-yocto) ===
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24859 CVE-2023-24859] (linux-yocto) ===
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24861 CVE-2023-24861] (linux-yocto) ===
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24864 CVE-2023-25864] (linux-yocto) ===
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6240 CVE-2023-6240] (linux-yocto) ===
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6356 CVE-2023-6356] (linux-yocto) ===
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6535 CVE-2023-6535] (linux-yocto) ===
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6536 CVE-2023-6536] (linux-yocto) ===
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7216 CVE-2023-7216] (cpio) ===
Open upstream, disputed by maintainer see https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25739 CVE-2024-25739] (linux-yocto) ===


[https://gitlab.com/qemu-project/qemu/-/commit/ecb1b7b082d3b7dceff0e486a114502fc52c0fdf Fixed] in 8.1.0.
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25740 CVE-2024-25740] (linux-yocto) ===


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 CVE-2019-14899] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3714 CVE-2021-3714] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3864 CVE-2021-3864] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0400 CVE-2022-0400] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1247 CVE-2022-1247] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4543 CVE-2022-4543] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36402 CVE-2022-36402] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38096 CVE-2022-38096] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3640 CVE-2023-3640] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3772 CVE-2023-3772] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3773 CVE-2023-3773] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4010 CVE-2023-4010] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4128 CVE-2023-4128] (linux-yocto) ===


<!--
<!--

Latest revision as of 11:29, 10 March 2024

This is a list of CVEs which are currently being reported as open, and the current state.

CVE-2019-14899 (linux-yocto)

Claims to be about breaking into VPN tunnels. OpenVPN dispute, Red Hat think it might actually have a larger scope but also the paper is misleading.

CVE-2021-3714 (linux-yocto)

Flaw in kernel memory de-duplication. Still an issue, albeit minor.

CVE-2021-3864 (linux-yocto)

Issue with suid binaries and coredumps. Last known progress on mitigating was this thread.

CVE-2022-0400 (linux-yocto)

CVE-2022-3219 (gnupg)

Hypothetical DoS. A patch was proposed but hasn't been reviewed or merged.

CVE-2022-0400 (linux-yocto)

Out-of-bounds read in the SMC stack. Details are still embargoed so can't tell what this actually impacts.

CVE-2022-1247 (linux-yocto)

Race in the X.25 AF_ROSE implementation, so only an issue if CONFIG_ROSE is enabled.

CVE-2022-4543 (linux-yocto)

aka EntryBleed. Vulnerable on x86-64 systems.

CVE-2022-38096 (linux-yocto)

Bug in vmwgfx driver, still open. Mitigated if CONFIG_DRM_VMWGFX is not enabled.

CVE-2022-46456 (nasm)

Buffer overflow, still open upstream.

CVE-2023-0687 (glibc)

Bad CPE, should be marked as fixed in 2.38. Emailed NIST, data not updated yet. NVD pinged 12/02/2024.

CVE-2023-1386 (qemu)

Still open upstream.

CVE-2023-3354 (qemu)

Fixed in 8.1.0.

CVE-2023-3640 (linux-yocto)

CPU-level address leak specific to x86, still an issue.

CVE-2023-3772 (linux-yocto)

Merged in 00374d9b6d9f932802b55181be9831aa948e5b7c, needs backport.

CVE-2023-3773 (linux-yocto)

Merged in 5e2424708da7207087934c5c75211e8584d553a0, needs backport.

CVE-2023-4010 (linux-yocto)

Hang in USB subsystem. No fix yet.

CVE-2023-4128 (linux-yocto)

Merged in 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81, needs backporting.

CVE-2023-4135 (qemu)

Fixed in 8.1.0.

CVE-2023-40360 (qemu)

Fixed in 8.1.0.

CVE-2023-4569 (linux-yocto)

Fixed upstream. LKC https://github.com/nluedtke/linux_kernel_cves/issues/346.

CVE-2023-4611 (linux-yocto)

Fixed upstream. LKC https://github.com/nluedtke/linux_kernel_cves/issues/347.

CVE-2023-42363 (busybox)

Upstream bug still open https://bugs.busybox.net/show_bug.cgi?id=15865"

CVE-2023-42364 (busybox)

Upstream bug still open https://bugs.busybox.net/show_bug.cgi?id=15868"

CVE-2023-42365 (busybox)

Upstream bug still open https://bugs.busybox.net/show_bug.cgi?id=15871 "

CVE-2023-42366 (busybox)

Patch available (not merged yet) : Attachment 9697 Details for Bug 15874 – PATCH awk.c: fix CVE-2023-42366 (bug #15874)

CVE-2023-51767 (openssh)

"openssh: authentication bypass via row hammer attack" Upstream bug : https://bugzilla.mindrot.org/show_bug.cgi?id=3656 (still open, no patch) Real-world impacts seem quite low

CVE-2023-21803 (linux-yocto)

CVE-2023-24857 (linux-yocto)

CVE-2023-24858 (linux-yocto)

CVE-2023-24859 (linux-yocto)

CVE-2023-24861 (linux-yocto)

CVE-2023-25864 (linux-yocto)

CVE-2023-6240 (linux-yocto)

CVE-2023-6356 (linux-yocto)

CVE-2023-6535 (linux-yocto)

CVE-2023-6536 (linux-yocto)

CVE-2023-7216 (cpio)

Open upstream, disputed by maintainer see https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html

CVE-2024-25739 (linux-yocto)

CVE-2024-25740 (linux-yocto)