Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 2 Feb 2024 12:20:22 -0500
From: Armin Kuster <akuster@...sta.com>
To: Solar Designer <solar@...nwall.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631

On Tue, Jan 30, 2024 at 9:25 AM Solar Designer <solar@...nwall.com> wrote:

> Hi,
>
> On Tue, Jan 30, 2024 at 08:46:56AM -0500, Armin Kuster wrote:
> > Not sure if this is the appropriate mailing list to share this
> information.
>
> Since the issues are not specific to one downstream distro, yes, it is
> appropriate and desirable to have this information in here.  Thank you!
>
> However, two things can be done better on further occasions: actual
> vulnerability information should be included in the message body (not
> only links) and the Subject line should explicitly say Linux when
> referring to the Linux kernel (since this list isn't only about Linux).
>
> > I noticed these two openEuler CVEs were assigned two weeks ago affecting
> > some K.O stable branches.
> >
> > https://nvd.nist.gov/vuln/detail/CVE-2021-33630
>
> This says:
>
> "NULL Pointer Dereference vulnerability in openEuler kernel on Linux
> (network modules) allows Pointer Manipulation. This vulnerability is
> associated with program files net/sched/sch_cbs.C. This issue affects
> openEuler kernel: from 4.19.90 before 4.19.90-2401.3."
>
> >
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3e8b9bfa110896f95d602d8c98d5f9d67e41d78c
>
> This mainline commit is from 2019, "net/sched: cbs: Fix not adding cbs
> instance to list".
>
> > https://nvd.nist.gov/vuln/detail/CVE-2021-33631
>
> This says:
>
> "Integer Overflow or Wraparound vulnerability in openEuler kernel on
> Linux (filesystem modules) allows Forced Integer Overflow.This issue
> affects openEuler kernel: from 4.19.90 before 4.19.90-2401.3, from
> 5.10.0-60.18.0 before 5.10.0-183.0.0."
>
> >
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5c099c4fdc438014d5893629e70a8ba934433ee8
>
> 2022, "ext4: fix kernel BUG in 'ext4_write_inline_data_end()'"
>
> So the concern is that upstream longterm 4.19.y and 5.10.y (and perhaps
> some others) may still be affected.
>
> The above links don't say anything about attack vectors and required
> access - I guess CAP_NET_ADMIN and raw block device write (e.g., to a
> USB flash drive on another computer), respectively, are the
> prerequisites?  The CVSS scores look exaggerated, especially NVD's score
> of 7.8 for CVE-2021-33631.
>

Thanks for taking the time to explain. Hope to do better next time.

Armin

>
> Alexander
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.