CVE Status: Difference between revisions

From Yocto Project
Jump to navigationJump to search
No edit summary
 
(45 intermediate revisions by 3 users not shown)
Line 1: Line 1:
This is a list of CVEs which are currently being reported as open, and the current state.
This is a list of CVEs which are currently being reported as open, and the current state.
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 CVE-2019-14899] (linux-yocto) ===
Claims to be about breaking into VPN tunnels. OpenVPN dispute, Red Hat think it might actually have a larger scope but also the paper is misleading.
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3714 CVE-2021-3714] (linux-yocto) ===
Flaw in kernel memory de-duplication. Still an issue, albeit minor.
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3864 CVE-2021-3864] (linux-yocto) ===
Issue with suid binaries and coredumps. Last known progress on mitigating was [https://lore.kernel.org/lkml/CAAq0SUmw3fGtwDifbBMrD7jgPBGQb7uC0K9hJetVTRQO7boPtA@mail.gmail.com/t/#u this thread].
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0400 CVE-2022-0400] (linux-yocto) ===


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 CVE-2022-3219] (gnupg) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 CVE-2022-3219] (gnupg) ===
Line 5: Line 19:
Hypothetical DoS. A patch [https://dev.gnupg.org/D556 was proposed] but hasn't been reviewed or merged.
Hypothetical DoS. A patch [https://dev.gnupg.org/D556 was proposed] but hasn't been reviewed or merged.


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-33065 CVE-2022-33065] (libsndfile1) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0400 CVE-2022-0400] (linux-yocto) ===
 
Out-of-bounds read in the SMC stack. Details are still embargoed so can't tell what this actually impacts.


Integer overflow, [https://github.com/libsndfile/libsndfile/issues/789 still open upstream].
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1247 CVE-2022-1247] (linux-yocto) ===
 
Race in the X.25 AF_ROSE implementation, so only an issue if <tt>CONFIG_ROSE</tt> is enabled.
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4543 CVE-2022-4543] (linux-yocto) ===
 
aka EntryBleed. Vulnerable on x86-64 systems.
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38096 CVE-2022-38096] (linux-yocto) ===
 
Bug in vmwgfx driver, still open. Mitigated if CONFIG_DRM_VMWGFX is not enabled.


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46456 CVE-2022-46456] (nasm) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46456 CVE-2022-46456] (nasm) ===
Line 15: Line 41:
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0687 CVE-2023-0687] (glibc) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0687 CVE-2023-0687] (glibc) ===


Bad CPE, should be marked as fixed in 2.38. Emailed NIST, data not updated yet.
Bad CPE, should be marked as fixed in 2.38. Emailed NIST, data not updated yet.  NVD pinged 12/02/2024.


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-37769 CVE-2023-37769] (pixman) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1386 CVE-2023-1386] (qemu) ===


Appears to be a floating point exception in a test, should verify that the crash is in the test code and not the library. [https://gitlab.freedesktop.org/pixman/pixman/-/issues/76 This ticket] has the details.
Still [https://github.com/v9fs/linux/issues/29 open upstream].


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1386 CVE-2023-1386] (qemu) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3354 CVE-2023-3354] (qemu) ===
 
[https://gitlab.com/qemu-project/qemu/-/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4 Fixed] in 8.1.0.
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3640 CVE-2023-3640] (linux-yocto) ===


Still [https://github.com/v9fs/linux/issues/29 open upstream].
CPU-level address leak specific to x86, still an issue.


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3019 CVE-2023-3019] (qemu) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3772 CVE-2023-3772] (linux-yocto) ===


Linked patches need rebasing and review.
Merged in 00374d9b6d9f932802b55181be9831aa948e5b7c, needs backport.


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3180 CVE-2023-3180] (qemu) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3773 CVE-2023-3773] (linux-yocto) ===


[https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980 Fixed] in 8.1.0.
Merged in 5e2424708da7207087934c5c75211e8584d553a0, needs backport.


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3354 CVE-2023-3354] (qemu) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4010 CVE-2023-4010] (linux-yocto) ===


[https://gitlab.com/qemu-project/qemu/-/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4 Fixed] in 8.1.0.
Hang in USB subsystem. No fix yet.


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-40360 CVE-2023-40360] (qemu) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4128 CVE-2023-4128] (linux-yocto) ===


[https://gitlab.com/qemu-project/qemu/-/commit/6c8f8456cb0b239812dee5211881426496da7b98 Fixed] in 8.1.0.
Merged in 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81, needs backporting.


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4135 CVE-2023-4135] (qemu) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4135 CVE-2023-4135] (qemu) ===
Line 45: Line 75:
[https://gitlab.com/qemu-project/qemu/-/commit/ecb1b7b082d3b7dceff0e486a114502fc52c0fdf Fixed] in 8.1.0.
[https://gitlab.com/qemu-project/qemu/-/commit/ecb1b7b082d3b7dceff0e486a114502fc52c0fdf Fixed] in 8.1.0.


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 CVE-2019-14899] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-40360 CVE-2023-40360] (qemu) ===
 
[https://gitlab.com/qemu-project/qemu/-/commit/6c8f8456cb0b239812dee5211881426496da7b98 Fixed] in 8.1.0.
 
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4569 CVE-2023-4569] (linux-yocto) ===
 
Fixed upstream. LKC https://github.com/nluedtke/linux_kernel_cves/issues/346.


Claims to be about breaking into VPN tunnels. OpenVPN dispute, Red Hat think it might actually have a larger scope but also the paper is misleading.
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4611 CVE-2023-4611] (linux-yocto) ===


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3714 CVE-2021-3714] (linux-yocto) ===
Fixed upstream. LKC https://github.com/nluedtke/linux_kernel_cves/issues/347.


Flaw in kernel memory de-duplication. Still an issue, albeit minor.
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42363 CVE-2023-42363] (busybox) ===


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3864 CVE-2021-3864] (linux-yocto) ===
Upstream bug still open https://bugs.busybox.net/show_bug.cgi?id=15865"


Issue with suid binaries and coredumps. Last known progress on mitigating was [https://lore.kernel.org/lkml/CAAq0SUmw3fGtwDifbBMrD7jgPBGQb7uC0K9hJetVTRQO7boPtA@mail.gmail.com/t/#u this thread].
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42364 CVE-2023-42364] (busybox) ===


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0400 CVE-2022-0400] (linux-yocto) ===
Upstream bug still open https://bugs.busybox.net/show_bug.cgi?id=15868"


Out-of-bounds read in the SMC stack. Details are still embargoed so can't tell what this actually impacts.
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42365 CVE-2023-42365] (busybox) ===


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1247 CVE-2022-1247] (linux-yocto) ===
Upstream bug still open https://bugs.busybox.net/show_bug.cgi?id=15871 "


Race in the X.25 AF_ROSE implementation, so only an issue if <tt>CONFIG_ROSE</tt> is enabled.
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42366 CVE-2023-42366] (busybox) ===


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4543 CVE-2022-4543] (linux-yocto) ===
Patch available (not merged yet) : [https://bugs.busybox.net/attachment.cgi?id=9697&action=edit Attachment 9697 Details for Bug 15874 – PATCH awk.c: fix CVE-2023-42366 (bug #15874)]


aka EntryBleed. Vulnerable on x86-64 systems.
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51767 CVE-2023-51767] (openssh) ===


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36402 CVE-2022-36402] (linux-yocto) ===
"openssh: authentication bypass via row hammer attack"
Upstream bug : https://bugzilla.mindrot.org/show_bug.cgi?id=3656 (still open, no patch)
Real-world impacts seem quite low


Bug in vmwgfx driver, still open. Mitigated if CONFIG_DRM_VMWGFX is not enabled.
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21803 CVE-2023-21803] (linux-yocto) ===


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38096 CVE-2022-38096] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24857 CVE-2023-24857] (linux-yocto) ===


Bug in vmwgfx driver, still open. Mitigated if CONFIG_DRM_VMWGFX is not enabled.
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24858 CVE-2023-24858] (linux-yocto) ===


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3640 CVE-2023-3640] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24859 CVE-2023-24859] (linux-yocto) ===


CPU-level address leak specific to x86, still an issue.
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24861 CVE-2023-24861] (linux-yocto) ===


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3772 CVE-2023-3772] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24864 CVE-2023-25864] (linux-yocto) ===


Merged in 00374d9b6d9f932802b55181be9831aa948e5b7c, needs backport.
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6240 CVE-2023-6240] (linux-yocto) ===


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3773 CVE-2023-3773] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6356 CVE-2023-6356] (linux-yocto) ===


Merged in 5e2424708da7207087934c5c75211e8584d553a0, needs backport.
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6535 CVE-2023-6535] (linux-yocto) ===


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4010 CVE-2023-4010] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6536 CVE-2023-6536] (linux-yocto) ===


Hang in USB subsystem. No fix yet.
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7216 CVE-2023-7216] (cpio) ===
Open upstream, disputed by maintainer see https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html


=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4128 CVE-2023-4128] (linux-yocto) ===
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25739 CVE-2024-25739] (linux-yocto) ===


Use-after-free. Fixed with [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81 this commit], needs backporting.
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25740 CVE-2024-25740] (linux-yocto) ===





Latest revision as of 11:29, 10 March 2024

This is a list of CVEs which are currently being reported as open, and the current state.

CVE-2019-14899 (linux-yocto)

Claims to be about breaking into VPN tunnels. OpenVPN dispute, Red Hat think it might actually have a larger scope but also the paper is misleading.

CVE-2021-3714 (linux-yocto)

Flaw in kernel memory de-duplication. Still an issue, albeit minor.

CVE-2021-3864 (linux-yocto)

Issue with suid binaries and coredumps. Last known progress on mitigating was this thread.

CVE-2022-0400 (linux-yocto)

CVE-2022-3219 (gnupg)

Hypothetical DoS. A patch was proposed but hasn't been reviewed or merged.

CVE-2022-0400 (linux-yocto)

Out-of-bounds read in the SMC stack. Details are still embargoed so can't tell what this actually impacts.

CVE-2022-1247 (linux-yocto)

Race in the X.25 AF_ROSE implementation, so only an issue if CONFIG_ROSE is enabled.

CVE-2022-4543 (linux-yocto)

aka EntryBleed. Vulnerable on x86-64 systems.

CVE-2022-38096 (linux-yocto)

Bug in vmwgfx driver, still open. Mitigated if CONFIG_DRM_VMWGFX is not enabled.

CVE-2022-46456 (nasm)

Buffer overflow, still open upstream.

CVE-2023-0687 (glibc)

Bad CPE, should be marked as fixed in 2.38. Emailed NIST, data not updated yet. NVD pinged 12/02/2024.

CVE-2023-1386 (qemu)

Still open upstream.

CVE-2023-3354 (qemu)

Fixed in 8.1.0.

CVE-2023-3640 (linux-yocto)

CPU-level address leak specific to x86, still an issue.

CVE-2023-3772 (linux-yocto)

Merged in 00374d9b6d9f932802b55181be9831aa948e5b7c, needs backport.

CVE-2023-3773 (linux-yocto)

Merged in 5e2424708da7207087934c5c75211e8584d553a0, needs backport.

CVE-2023-4010 (linux-yocto)

Hang in USB subsystem. No fix yet.

CVE-2023-4128 (linux-yocto)

Merged in 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81, needs backporting.

CVE-2023-4135 (qemu)

Fixed in 8.1.0.

CVE-2023-40360 (qemu)

Fixed in 8.1.0.

CVE-2023-4569 (linux-yocto)

Fixed upstream. LKC https://github.com/nluedtke/linux_kernel_cves/issues/346.

CVE-2023-4611 (linux-yocto)

Fixed upstream. LKC https://github.com/nluedtke/linux_kernel_cves/issues/347.

CVE-2023-42363 (busybox)

Upstream bug still open https://bugs.busybox.net/show_bug.cgi?id=15865"

CVE-2023-42364 (busybox)

Upstream bug still open https://bugs.busybox.net/show_bug.cgi?id=15868"

CVE-2023-42365 (busybox)

Upstream bug still open https://bugs.busybox.net/show_bug.cgi?id=15871 "

CVE-2023-42366 (busybox)

Patch available (not merged yet) : Attachment 9697 Details for Bug 15874 – PATCH awk.c: fix CVE-2023-42366 (bug #15874)

CVE-2023-51767 (openssh)

"openssh: authentication bypass via row hammer attack" Upstream bug : https://bugzilla.mindrot.org/show_bug.cgi?id=3656 (still open, no patch) Real-world impacts seem quite low

CVE-2023-21803 (linux-yocto)

CVE-2023-24857 (linux-yocto)

CVE-2023-24858 (linux-yocto)

CVE-2023-24859 (linux-yocto)

CVE-2023-24861 (linux-yocto)

CVE-2023-25864 (linux-yocto)

CVE-2023-6240 (linux-yocto)

CVE-2023-6356 (linux-yocto)

CVE-2023-6535 (linux-yocto)

CVE-2023-6536 (linux-yocto)

CVE-2023-7216 (cpio)

Open upstream, disputed by maintainer see https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html

CVE-2024-25739 (linux-yocto)

CVE-2024-25740 (linux-yocto)