Fill in status for most issues

author: Ben Hutchings <ben@decadent.org.uk> 2022-02-25 02:54:22 +0100
committer: Ben Hutchings <ben@decadent.org.uk> 2022-02-25 02:58:48 +0100
commit: 322eaf84fa0d24cdfa4acc99ff4a8d5635ab0654 (patch)
tree: 84cf09416b8cf27d0c1ac938e5332bc049c04d28 /active
parent: 4f1997da8949bfe55fdc4820e7def805bf3d4be8 (diff)
34 files changed, 294 insertions, 214 deletions
diff --git a/active/CVE-2018-25020 b/active/CVE-2018-25020
index 8606af57..7d148582 100644
--- a/active/CVE-2018-25020
+++ b/active/CVE-2018-25020
@@ -1,12 +1,16 @@
 Description: bpf: fix truncated jump targets on heavy expansions
 References:
 Notes:
+ bwh> I'm not sure whether BPF in 4.9 can expand BPF programs enough
+ bwh> to trigger this bug, but I'd rather enforce that at run-time
+ bwh> than carry out an analyse which might be invalidated by later
+ bwh> changes.  Therefore marking this as needed.
 Bugs:
 upstream: released (4.17-rc7) [050fad7c4534c13c8eb1d9c2ba66012e014773cb]
 5.10-upstream-stable: N/A "Fixed before branching point"
 4.19-upstream-stable: N/A "Fixed before branching point"
-4.9-upstream-stable:
+4.9-upstream-stable: needed
 sid: released (4.17.3-1)
 5.10-bullseye-security: N/A "Fixed before branching point"
 4.19-buster-security: N/A "Fixed before branching point"
-4.9-stretch-security:
+4.9-stretch-security: needed
diff --git a/active/CVE-2019-19449 b/active/CVE-2019-19449
index 996f1d0e..8185c20c 100644
--- a/active/CVE-2019-19449
+++ b/active/CVE-2019-19449
@@ -1,15 +1,19 @@
-Description:
+Description: f2fs: Heap out-of-bounds read in init_min_max_mtime()
 References:
  https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19449
 Notes:
+ bwh> The loop in init_min_max_mtime() has not changed between
+ bwh> 4.9 and 5.17-rc4, and there don't appear to be any checks
+ bwh> that main_segments is exactly divisible by segs_per_sec,
+ bwh> so all branches are affected.
 Bugs:
-upstream:
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
+upstream: needed
+5.10-upstream-stable: needed
+4.19-upstream-stable: needed
+4.9-upstream-stable: needed
 3.16-upstream-stable: ignored "EOL"
-sid:
-5.10-bullseye-security:
-4.19-buster-security:
-4.9-stretch-security:
+sid: needed
+5.10-bullseye-security: needed
+4.19-buster-security: needed
+4.9-stretch-security: ignored "f2fs is not supportable"
 3.16-jessie-security: ignored "EOL"
diff --git a/active/CVE-2019-19814 b/active/CVE-2019-19814
index c7209ed8..f57184d6 100644
--- a/active/CVE-2019-19814
+++ b/active/CVE-2019-19814
@@ -1,15 +1,17 @@
-Description:
+Description: f2fs: Heap out-of-bounds write in __remove_dirty_segment()
 References:
  https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19814
 Notes:
+ bwh> __remove_dirty_segment() needs to range-check the variable t
+ bwh> in the same way __locate_dirty_segment() does.
 Bugs:
-upstream:
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
+upstream: needed
+5.10-upstream-stable: needed
+4.19-upstream-stable: needed
+4.9-upstream-stable: needed
 3.16-upstream-stable: ignored "EOL"
-sid:
-5.10-bullseye-security:
-4.19-buster-security:
-4.9-stretch-security:
+sid: needed
+5.10-bullseye-security: needed
+4.19-buster-security: needed
+4.9-stretch-security: ignored "f2fs is not supportable"
 3.16-jessie-security: ignored "EOL"
diff --git a/active/CVE-2019-20794 b/active/CVE-2019-20794
index 738843d4..fb831444 100644
--- a/active/CVE-2019-20794
+++ b/active/CVE-2019-20794
@@ -1,17 +1,20 @@
-Description:
+Description: fuse: FUSE daemon can make itself unkillable with request loops
 References:
  https://github.com/sargun/fuse-example
  https://sourceforge.net/p/fuse/mailman/message/36598753/
  https://lore.kernel.org/lkml/1e796f9e008fb78fb96358ff74f39bd4865a7c88.1604926010.git.gladkov.alexey@gmail.com/
 Notes:
+ bwh> The proposed fix notes that the daemon can be killed off through
+ bwh> the fusectl filesystem, but the kill command or service shutdown
+ bwh> won't work.
 Bugs:
-upstream:
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
+upstream: needed
+5.10-upstream-stable: needed
+4.19-upstream-stable: needed
+4.9-upstream-stable: needed
 3.16-upstream-stable: ignored "EOL"
-sid:
-5.10-bullseye-security:
-4.19-buster-security:
-4.9-stretch-security:
+sid: needed
+5.10-bullseye-security: needed
+4.19-buster-security: needed
+4.9-stretch-security: needed
 3.16-jessie-security: ignored "EOL"
diff --git a/active/CVE-2020-12362 b/active/CVE-2020-12362
index 10202ab2..5d184e3f 100644
--- a/active/CVE-2020-12362
+++ b/active/CVE-2020-12362
@@ -1,4 +1,4 @@
-Description:
+Description: i915: Integer overflow in GuC firmware leading to priv-esc
 References:
  https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00438.html
 Notes:
@@ -9,12 +9,14 @@ Notes:
  carnil> firmware is required. The new firmware requires a kernel patch
  carnil> https://git.kernel.org/linus/c784e5249e773689e38d2bc1749f08b986621a26
  carnil> So might not be treaded as Linux issue itself.
+ bwh> Let's treat it as both firmware and kernel, similar to CPU issues
+ bwh> that need both microcode and kernel changes.
 Bugs:
-upstream:
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
-sid:
-5.10-bullseye-security:
-4.19-buster-security:
-4.9-stretch-security:
+upstream: released (5.11-rc1) [c784e5249e773689e38d2bc1749f08b986621a26]
+5.10-upstream-stable: needed
+4.19-upstream-stable: needed
+4.9-upstream-stable: needed
+sid: released (5.14.6-1)
+5.10-bullseye-security: needed
+4.19-buster-security: needed
+4.9-stretch-security: needed
diff --git a/active/CVE-2020-12363 b/active/CVE-2020-12363
index 10202ab2..218831be 100644
--- a/active/CVE-2020-12363
+++ b/active/CVE-2020-12363
@@ -1,4 +1,4 @@
-Description:
+Description: i915: Bad input validation in GuC firmware leading to DoS
 References:
  https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00438.html
 Notes:
@@ -9,12 +9,14 @@ Notes:
  carnil> firmware is required. The new firmware requires a kernel patch
  carnil> https://git.kernel.org/linus/c784e5249e773689e38d2bc1749f08b986621a26
  carnil> So might not be treaded as Linux issue itself.
+ bwh> Let's treat it as both firmware and kernel, similar to CPU issues
+ bwh> that need both microcode and kernel changes.
 Bugs:
-upstream:
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
-sid:
-5.10-bullseye-security:
-4.19-buster-security:
-4.9-stretch-security:
+upstream: released (5.11-rc1) [c784e5249e773689e38d2bc1749f08b986621a26]
+5.10-upstream-stable: needed
+4.19-upstream-stable: needed
+4.9-upstream-stable: needed
+sid: released (5.14.6-1)
+5.10-bullseye-security: needed
+4.19-buster-security: needed
+4.9-stretch-security: needed
diff --git a/active/CVE-2020-12364 b/active/CVE-2020-12364
index 10202ab2..bc2ba343 100644
--- a/active/CVE-2020-12364
+++ b/active/CVE-2020-12364
@@ -1,4 +1,4 @@
-Description:
+Description: i915: Null pointer deref in GuC firmware leading to DoS
 References:
  https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00438.html
 Notes:
@@ -9,12 +9,14 @@ Notes:
  carnil> firmware is required. The new firmware requires a kernel patch
  carnil> https://git.kernel.org/linus/c784e5249e773689e38d2bc1749f08b986621a26
  carnil> So might not be treaded as Linux issue itself.
+ bwh> Let's treat it as both firmware and kernel, similar to CPU issues
+ bwh> that need both microcode and kernel changes.
 Bugs:
-upstream:
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
-sid:
-5.10-bullseye-security:
-4.19-buster-security:
-4.9-stretch-security:
+upstream: released (5.11-rc1) [c784e5249e773689e38d2bc1749f08b986621a26]
+5.10-upstream-stable: needed
+4.19-upstream-stable: needed
+4.9-upstream-stable: needed
+sid: released (5.14.6-1)
+5.10-bullseye-security: needed
+4.19-buster-security: needed
+4.9-stretch-security: needed
diff --git a/active/CVE-2020-15802 b/active/CVE-2020-15802
index 79f8d99f..f4a831ea 100644
--- a/active/CVE-2020-15802
+++ b/active/CVE-2020-15802
@@ -6,12 +6,14 @@ References:
  https://www.kb.cert.org/vuls/id/589825/
  https://bugzilla.suse.com/show_bug.cgi?id=1176442
 Notes:
+ bwh> Introduced in 3.19 as noted in
+ bwh> http://www.bluez.org/bluetooth-4-2-features-going-to-the-3-19-kernel-release/
 Bugs:
-upstream:
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
-sid:
-5.10-bullseye-security:
-4.19-buster-security:
-4.9-stretch-security:
+upstream: needed
+5.10-upstream-stable: needed
+4.19-upstream-stable: needed
+4.9-upstream-stable: needed
+sid: needed
+5.10-bullseye-security: needed
+4.19-buster-security: needed
+4.9-stretch-security: needed
diff --git a/active/CVE-2020-26140 b/active/CVE-2020-26140
index db146255..2b6072fa 100644
--- a/active/CVE-2020-26140
+++ b/active/CVE-2020-26140
@@ -5,6 +5,11 @@ References:
  https://lore.kernel.org/linux-wireless/20210511180259.159598-1-johannes@sipsolutions.net/
 Notes:
  carnil> Needs to be checked if this really has a fix in Linux.
+ bwh> I don't think this bug was present in mac80211, but individual
+ bwh> drivers or firmware might be affected.  The same issue was found
+ bwh> earlier in some vendor drivers which were assigned
+ bwh> CVE-2019-18989, CVE-2019-18990, and CVE-2019-18991:
+ bwh> https://www.synopsys.com/blogs/software-security/cyrc-advisory-sept2020/
 Bugs:
 upstream:
 5.10-upstream-stable:
diff --git a/active/CVE-2020-26142 b/active/CVE-2020-26142
index ab163436..93791d14 100644
--- a/active/CVE-2020-26142
+++ b/active/CVE-2020-26142
@@ -5,6 +5,8 @@ References:
  https://lore.kernel.org/linux-wireless/20210511180259.159598-1-johannes@sipsolutions.net/
 Notes:
  carnil> Needs to be checked if this really has a fix in Linux.
+ bwh> I don't think this bug was present in mac80211, but individual
+ bwh> drivers or firmware might be affected.
 Bugs:
 upstream:
 5.10-upstream-stable:
diff --git a/active/CVE-2020-26143 b/active/CVE-2020-26143
index 7ab980e2..cc4f34e5 100644
--- a/active/CVE-2020-26143
+++ b/active/CVE-2020-26143
@@ -5,6 +5,8 @@ References:
  https://lore.kernel.org/linux-wireless/20210511180259.159598-1-johannes@sipsolutions.net/
 Notes:
  carnil> Needs to be checked if this really has a fix in Linux.
+ bwh> I don't think this bug was present in mac80211, but individual
+ bwh> drivers or firmware might be affected.
 Bugs:
 upstream:
 5.10-upstream-stable:
diff --git a/active/CVE-2020-26555 b/active/CVE-2020-26555
index 5b14e35a..a1f793bc 100644
--- a/active/CVE-2020-26555
+++ b/active/CVE-2020-26555
@@ -3,7 +3,16 @@ References:
  https://kb.cert.org/vuls/id/799380
  https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/impersonation-pin-pairing/
  https://bugzilla.redhat.com/show_bug.cgi?id=1918601
+ https://bodhi.fedoraproject.org/updates/FEDORA-2021-a35b44fd9f
+ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00520.html
 Notes:
+ bwh> Fedora claims this was fixed along with CVE-2020-26558 in
+ bwh> 5.12.7, which implies the upstream fix is commit 6d19628f539f
+ bwh> "Bluetooth: SMP: Fail if remote and local public keys are
+ bwh> identical". But it's not clear to me that that commit
+ bwh> addresses this issue too.
+ bwh> Intel claims to have addressed this for their Bluetooth
+ bwh> adapters in a firmware update.
 Bugs:
 upstream:
 5.10-upstream-stable:
diff --git a/active/CVE-2020-26556 b/active/CVE-2020-26556
index ed76999e..60be7fc6 100644
--- a/active/CVE-2020-26556
+++ b/active/CVE-2020-26556
@@ -4,12 +4,14 @@ References:
  https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/malleable/
  https://bugzilla.redhat.com/show_bug.cgi?id=1960012
 Notes:
+ bwh> Mesh provisioning seems to be handled in user-space.
+ bwh> This was addressed in bluez 5.50-1.1.
 Bugs:
-upstream:
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
-sid:
-5.10-bullseye-security:
-4.19-buster-security:
-4.9-stretch-security:
+upstream: N/A "Not implemented in kernel"
+5.10-upstream-stable: N/A "Not implemented in kernel"
+4.19-upstream-stable: N/A "Not implemented in kernel"
+4.9-upstream-stable: N/A "Not implemented in kernel"
+sid: N/A "Not implemented in kernel"
+5.10-bullseye-security: N/A "Not implemented in kernel"
+4.19-buster-security: N/A "Not implemented in kernel"
+4.9-stretch-security: N/A "Not implemented in kernel"
diff --git a/active/CVE-2020-26557 b/active/CVE-2020-26557
index 25a55842..4a86b8c4 100644
--- a/active/CVE-2020-26557
+++ b/active/CVE-2020-26557
@@ -4,12 +4,13 @@ References:
  https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/predicatable-authvalue/
  https://bugzilla.redhat.com/show_bug.cgi?id=1960009
 Notes:
+ bwh> Mesh provisioning seems to be handled in user-space.
 Bugs:
-upstream:
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
-sid:
-5.10-bullseye-security:
-4.19-buster-security:
-4.9-stretch-security:
+upstream: N/A "Not implemented in kernel"
+5.10-upstream-stable: N/A "Not implemented in kernel"
+4.19-upstream-stable: N/A "Not implemented in kernel"
+4.9-upstream-stable: N/A "Not implemented in kernel"
+sid: N/A "Not implemented in kernel"
+5.10-bullseye-security: N/A "Not implemented in kernel"
+4.19-buster-security: N/A "Not implemented in kernel"
+4.9-stretch-security: N/A "Not implemented in kernel"
diff --git a/active/CVE-2020-26559 b/active/CVE-2020-26559
index 4fea3011..3112e2b1 100644
--- a/active/CVE-2020-26559
+++ b/active/CVE-2020-26559
@@ -4,12 +4,13 @@ References:
  https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/authvalue-leak/
  https://bugzilla.redhat.com/show_bug.cgi?id=1960011
 Notes:
+ bwh> Mesh provisioning seems to be handled in user-space.
 Bugs:
-upstream:
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
-sid:
-5.10-bullseye-security:
-4.19-buster-security:
-4.9-stretch-security:
+upstream: N/A "Not implemented in kernel"
+5.10-upstream-stable: N/A "Not implemented in kernel"
+4.19-upstream-stable: N/A "Not implemented in kernel"
+4.9-upstream-stable: N/A "Not implemented in kernel"
+sid: N/A "Not implemented in kernel"
+5.10-bullseye-security: N/A "Not implemented in kernel"
+4.19-buster-security: N/A "Not implemented in kernel"
+4.9-stretch-security: N/A "Not implemented in kernel"
diff --git a/active/CVE-2020-26560 b/active/CVE-2020-26560
index 3785e0fb..be0abd40 100644
--- a/active/CVE-2020-26560
+++ b/active/CVE-2020-26560
@@ -4,12 +4,13 @@ References:
  https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/impersonation-mesh/
  https://bugzilla.redhat.com/show_bug.cgi?id=1959994
 Notes:
+ bwh> Mesh provisioning seems to be handled in user-space.
 Bugs:
-upstream:
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
-sid:
-5.10-bullseye-security:
-4.19-buster-security:
-4.9-stretch-security:
+upstream: N/A "Not implemented in kernel"
+5.10-upstream-stable: N/A "Not implemented in kernel"
+4.19-upstream-stable: N/A "Not implemented in kernel"
+4.9-upstream-stable: N/A "Not implemented in kernel"
+sid: N/A "Not implemented in kernel"
+5.10-bullseye-security: N/A "Not implemented in kernel"
+4.19-buster-security: N/A "Not implemented in kernel"
+4.9-stretch-security: N/A "Not implemented in kernel"
diff --git a/active/CVE-2020-27820 b/active/CVE-2020-27820
index 5d327702..23846614 100644
--- a/active/CVE-2020-27820
+++ b/active/CVE-2020-27820
@@ -5,15 +5,13 @@ References:
  https://lore.kernel.org/dri-devel/20201103194912.184413-4-jcline@redhat.com/
  https://bugzilla.redhat.com/show_bug.cgi?id=1901726
 Notes:
- bwh> I don't see how this is a security issue, though it seems like a
- bwh> worthwhile fix anyway.
  carnil> Fixed as well in 5.15.5 for the 5.15.y series.
 Bugs:
 upstream: released (5.16-rc1) [aff2299e0d81b26304ccc6a1ec0170e437f38efc, abae9164a421bc4a41a3769f01ebcd1f9d955e0e, f55aaf63bde0d0336c3823bb3713bd4a464abbcf]
 5.10-upstream-stable: released (5.10.82) [c81c90fbf5775ed1b907230eaaa766fa0e1b7cfa, 9221aff33edb627ea52a51379862f46e63e7c0c9, 82de15ca6b5574fc0e2f54daa1de00b5b2dcf32f]
-4.19-upstream-stable:
-4.9-upstream-stable:
+4.19-upstream-stable: needed
+4.9-upstream-stable: needed
 sid: released (5.15.5-1)
 5.10-bullseye-security: released (5.10.84-1)
-4.19-buster-security:
-4.9-stretch-security:
+4.19-buster-security: needed
+4.9-stretch-security: needed
diff --git a/active/CVE-2021-3847 b/active/CVE-2021-3847
index efa4f591..067b8164 100644
--- a/active/CVE-2021-3847
+++ b/active/CVE-2021-3847
@@ -1,14 +1,18 @@
-Description: low-privileged user privileges escalation
+Description: ovl: Copy-up from nosuid lower to suid upper could allow priv-esc
 References:
  https://bugzilla.redhat.com/show_bug.cgi?id=2009704
  https://www.openwall.com/lists/oss-security/2021/10/14/3
 Notes:
+ bwh> Only likely to be exploitable after commit 459c7c565ac3
+ bwh> "ovl: unprivieged mounts" in 5.11-rc1, or if the
+ bwh> Debian-specific module parameter permit_mounts_in_userns
+ bwh> is enabled.
 Bugs:
-upstream:
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
-sid:
-5.10-bullseye-security:
-4.19-buster-security:
-4.9-stretch-security:
+upstream: needed
+5.10-upstream-stable: needed
+4.19-upstream-stable: needed
+4.9-upstream-stable: needed
+sid: needed
+5.10-bullseye-security: needed
+4.19-buster-security: needed
+4.9-stretch-security: needed
diff --git a/active/CVE-2021-3864 b/active/CVE-2021-3864
index f8e672c7..76122102 100644
--- a/active/CVE-2021-3864
+++ b/active/CVE-2021-3864
@@ -1,4 +1,4 @@
-Description: descendant's dumpable setting with certain SUID binaries
+Description: setuid program that exec's can coredump in dir not writable by caller; priv-esc possible
 References:
  https://www.openwall.com/lists/oss-security/2021/10/20/2
  https://bugzilla.redhat.com/show_bug.cgi?id=2015046
@@ -6,12 +6,22 @@ References:
  https://lore.kernel.org/lkml/20211228170910.623156-1-wander@redhat.com
  https://lore.kernel.org/all/20211226150310.GA992@1wt.eu/
 Notes:
+ bwh> The PoC exploits logrotate's lax parsing of configuration files
+ bwh> to inject commands via the coredump, but I think generally we
+ bwh> should assume that bypassing write-protection in any way can
+ bwh> lead to privilege escalation.
+ bwh> sudo is an important part of the PoC and should disable core-
+ bwh> dumps by default.
+ bwh> It's less clear what should be done in the kernel; possibly
+ bwh> some resource limits should be reset on exec of a setuid
+ bwh> program - see
+ bwh> https://lore.kernel.org/linux-api/87fso91n0v.fsf_-_@email.froward.int.ebiederm.org/
 Bugs:
-upstream:
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
-sid:
-5.10-bullseye-security:
-4.19-buster-security:
-4.9-stretch-security:
+upstream: needed
+5.10-upstream-stable: needed
+4.19-upstream-stable: needed
+4.9-upstream-stable: needed
+sid: needed
+5.10-bullseye-security: needed
+4.19-buster-security: needed
+4.9-stretch-security: needed
diff --git a/active/CVE-2021-39636 b/active/CVE-2021-39636
index e976d62b..ae6e76ac 100644
--- a/active/CVE-2021-39636
+++ b/active/CVE-2021-39636
@@ -1,4 +1,4 @@
-Description:
+Description: netfilter: Kernel info leaks from various modules
 References:
  https://source.android.com/security/bulletin/pixel/2021-12-01
 Notes:
@@ -6,12 +6,14 @@ Notes:
  carnil> pixel/2021-12-01 are spread over two versions. But it's not
  carnil> very clear to what CVE-2021-39636 is referring to, assuming it
  carnil> is for the pointer leak to userspace?
+ bwh> Pretty sure this is about leaking pointers. The last 2 commits
+ bwh> are fixing that and the first 3 are dependencies for the fix.
 Bugs:
 upstream: released (4.11-rc1) [f32815d21d4d8287336fb9cef4d2d9e0866214c2, f77bc5b23fb1af51fc0faa8a479dea8969eb5079, e47ddb2c4691fd2bd8d25745ecb6848408899757, ec23189049651b16dc2ffab35a4371dc1f491aca], released (4.16-rc1) [1e98ffea5a8935ec040ab72299e349cb44b8defd]
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
+5.10-upstream-stable: N/A "Fixed before branch point"
+4.19-upstream-stable: N/A "Fixed before branch point"
+4.9-upstream-stable: needed
 sid: released (4.16.5-1)
-5.10-bullseye-security:
-4.19-buster-security:
-4.9-stretch-security:
+5.10-bullseye-security: N/A "Fixed before branch point"
+4.19-buster-security: N/A "Fixed before branch point"
+4.9-stretch-security: needed
diff --git a/active/CVE-2021-4095 b/active/CVE-2021-4095
index 451cdf0b..84309d99 100644
--- a/active/CVE-2021-4095
+++ b/active/CVE-2021-4095
@@ -6,12 +6,14 @@ References:
  https://www.openwall.com/lists/oss-security/2021/12/14/2
  https://www.openwall.com/lists/oss-security/2022/01/17/1
 Notes:
+ bwh> Introduced in 5.12 by commit 629b5348841a "KVM: x86/xen: update
+ bwh> wallclock region".
 Bugs:
 upstream: released (5.17-rc1) [55749769fe608fa3f4a075e42e89d237c8e37637]
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
-sid:
-5.10-bullseye-security:
-4.19-buster-security:
-4.9-stretch-security:
+5.10-upstream-stable: N/A "Vulnerability introduced later"
+4.19-upstream-stable: N/A "Vulnerability introduced later"
+4.9-upstream-stable: N/A "Vulnerability introduced later"
+sid: needed
+5.10-bullseye-security: N/A "Vulnerability introduced later"
+4.19-buster-security: N/A "Vulnerability introduced later"
+4.9-stretch-security: N/A "Vulnerability introduced later"
diff --git a/active/CVE-2021-4148 b/active/CVE-2021-4148
index 6c32f438..90eddbb5 100644
--- a/active/CVE-2021-4148
+++ b/active/CVE-2021-4148
@@ -1,4 +1,4 @@
-Description: Improper implementation of block_invalidatepage() allows users to crash the kernel
+Description: mm: Opening THP-backed special file for write causes crash in block_invalidatepage()
 References:
  https://bugzilla.redhat.com/show_bug.cgi?id=2026487
  https://lkml.org/lkml/2021/9/17/1037
@@ -6,12 +6,14 @@ References:
  https://lore.kernel.org/linux-mm/a07564a3-b2fc-9ffe-3ace-3f276075ea5c@google.com/
  https://lore.kernel.org/lkml/CACkBjsYwLYLRmX8GpsDpMthagWOjWWrNxqY6ZLNQVr6yx+f5vA@mail.gmail.com/
 Notes:
+ bwh> Introduced in 5.4 by commit 99cb0dbd47a1 "mm,thp: add read-only THP
+ bwh> support for (non-shmem) FS".
 Bugs:
-upstream:
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
-sid:
-5.10-bullseye-security:
-4.19-buster-security:
-4.9-stretch-security:
+upstream: released (5.15) [a4aeaa06d45e90f9b279f0b09de84bd00006e733]
+5.10-upstream-stable: released (5.10.78) [6d67b2a73b8e3a079c355bab3c1aef7d85a044b8]
+4.19-upstream-stable: N/A "Vulnerable code not present"
+4.9-upstream-stable: N/A "Vulnerable code not present"
+sid: released (5.14.16-1)
+5.10-bullseye-security: released (5.10.84-1)
+4.19-buster-security: N/A "Vulnerable code not present"
+4.9-stretch-security: N/A "Vulnerable code not present"
diff --git a/active/CVE-2021-4149 b/active/CVE-2021-4149
index 98ca7838..17d65b32 100644
--- a/active/CVE-2021-4149
+++ b/active/CVE-2021-4149
@@ -4,12 +4,14 @@ References:
  https://lkml.org/lkml/2021/10/18/885
  https://lkml.org/lkml/2021/9/13/2565
 Notes:
+ bwh> Commit message says the fix is applicable to 5.4 onward,
+ bwh> but earlier versions seem to have the same bug.
 Bugs:
 upstream: released (5.15-rc6) [19ea40dddf1833db868533958ca066f368862211]
 5.10-upstream-stable: released (5.10.75) [206868a5b6c14adc4098dd3210a2f7510d97a670]
-4.19-upstream-stable:
-4.9-upstream-stable:
+4.19-upstream-stable: needed
+4.9-upstream-stable: needed
 sid: released (5.14.16-1)
 5.10-bullseye-security: released (5.10.84-1)
-4.19-buster-security:
-4.9-stretch-security:
+4.19-buster-security: needed
+4.9-stretch-security: needed
diff --git a/active/CVE-2021-4150 b/active/CVE-2021-4150
index f5f2fde7..588d6073 100644
--- a/active/CVE-2021-4150
+++ b/active/CVE-2021-4150
@@ -4,12 +4,14 @@ References:
  https://lkml.org/lkml/2021/9/6/781
  https://lkml.org/lkml/2021/10/18/485
 Notes:
+ bwh> Introduced in 5.15-rc1 by commit 9d3b8813895d "block: change the
+ bwh> refcounting for partitions", so never appeared in a stable release.
 Bugs:
 upstream: released (5.15-rc7) [9fbfabfda25d8774c5a08634fdd2da000a924890]
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
-sid: released (5.15.3-1)
-5.10-bullseye-security:
-4.19-buster-security:
-4.9-stretch-security:
+5.10-upstream-stable: N/A "Vulnerability introduced later"
+4.19-upstream-stable: N/A "Vulnerability introduced later"
+4.9-upstream-stable: N/A "Vulnerability introduced later"
+sid: N/A "Vulnerability introduced and fixed in experimental"
+5.10-bullseye-security: N/A "Vulnerability introduced later"
+4.19-buster-security: N/A "Vulnerability introduced later"
+4.9-stretch-security: N/A "Vulnerability introduced later"
diff --git a/active/CVE-2021-4197 b/active/CVE-2021-4197
index a81231ca..29382ce7 100644
--- a/active/CVE-2021-4197
+++ b/active/CVE-2021-4197
@@ -4,12 +4,13 @@ References:
  https://bugzilla.redhat.com/show_bug.cgi?id=2035652
 Notes:
  carnil> Fixed as well in 5.15.14 for 5.15.y.
+ bwh> At least the first commit is applicable to all branches.
 Bugs:
 upstream: released (5.16) [1756d7994ad85c2479af6ae5a9750b92324685af, 0d2b5955b36250a9428c832664f2079cbf723bec, e57457641613fef0d147ede8bd6a3047df588b95]
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
+5.10-upstream-stable: needed
+4.19-upstream-stable: needed
+4.9-upstream-stable: needed
 sid: released (5.15.15-1)
-5.10-bullseye-security:
-4.19-buster-security:
-4.9-stretch-security:
+5.10-bullseye-security: needed
+4.19-buster-security: needed
+4.9-stretch-security: needed
diff --git a/active/CVE-2021-4218 b/active/CVE-2021-4218
index 0cc62196..12445f6a 100644
--- a/active/CVE-2021-4218
+++ b/active/CVE-2021-4218
@@ -1,14 +1,17 @@
-Description: sysctl: pass kernel pointers to ->proc_handler
+Description: xprtrdma: Wrong copy function used in sysctl handler
 References:
  https://bugzilla.redhat.com/show_bug.cgi?id=2048359
  https://bugs.centos.org/view.php?id=18395
 Notes:
+ bwh> This issue is specific to CentOS/RHEL. In mainline,
+ bwh> xprtrdma always used copy_to_user() until the general
+ bwh> conversion of sysctls to use a kernel buffer.
 Bugs:
-upstream: released (5.8-rc1) [32927393dc1ccd60fb2bdc05b9e8e88753761469]
-5.10-upstream-stable: N/A "Fixed before branching point"
-4.19-upstream-stable:
-4.9-upstream-stable:
-sid: released (5.8.7-1)
-5.10-bullseye-security: N/A "Fixed before branching point"
-4.19-buster-security:
-4.9-stretch-security:
+upstream: N/A "Vulnerability never present"
+5.10-upstream-stable: N/A "Vulnerability never present"
+4.19-upstream-stable: N/A "Vulnerability never present"
+4.9-upstream-stable: N/A "Vulnerability never present"
+sid: N/A "Vulnerability never present"
+5.10-bullseye-security: N/A "Vulnerability never present"
+4.19-buster-security: N/A "Vulnerability never present"
+4.9-stretch-security: N/A "Vulnerability never present"
diff --git a/active/CVE-2021-44879 b/active/CVE-2021-44879
index 87909954..6a035183 100644
--- a/active/CVE-2021-44879
+++ b/active/CVE-2021-44879
@@ -4,12 +4,13 @@ References:
  https://bugzilla.kernel.org/show_bug.cgi?id=215231
  https://lore.kernel.org/linux-f2fs-devel/20211206144421.3735-3-chao@kernel.org/T/
 Notes:
+ bwh> The bug seems to exist in all our stable branches.
 Bugs:
 upstream: released (5.17-rc1) [9056d6489f5a41cfbb67f719d2c0ce61ead72d9f]
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
+5.10-upstream-stable: needed
+4.19-upstream-stable: needed
+4.9-upstream-stable: needed
 sid: released (5.16.7-1)
-5.10-bullseye-security:
-4.19-buster-security:
-4.9-stretch-security:
+5.10-bullseye-security: needed
+4.19-buster-security: needed
+4.9-stretch-security: ignored "f2fs is not supportable"
diff --git a/active/CVE-2021-45469 b/active/CVE-2021-45469
index 53c293bc..1d21b0a3 100644
--- a/active/CVE-2021-45469
+++ b/active/CVE-2021-45469
@@ -4,12 +4,13 @@ References:
  https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=dev&id=5598b24efaf4892741c798b425d543e4bed357a1
 Notes:
  carnil> for 5.15.y fixed as well in 5.15.12.
+ bwh> This is due to an incomplete fix for CVE-2019-9453.
 Bugs:
 upstream: released (5.17-rc1) [645a3c40ca3d40cc32b4b5972bf2620f2eb5dba6]
 5.10-upstream-stable: released (5.10.89) [fffb6581a23add416239dfcf7e7f3980c6b913da]
 4.19-upstream-stable: released (4.19.223) [f9dfa44be0fb5e8426183a70f69a246cf5827f49]
-4.9-upstream-stable:
+4.9-upstream-stable: needed
 sid: released (5.15.15-1)
 5.10-bullseye-security: released (5.10.92-1)
 4.19-buster-security: needed
-4.9-stretch-security:
+4.9-stretch-security: ignored "f2fs is not supportable"
diff --git a/active/CVE-2022-0382 b/active/CVE-2022-0382
index 60039db5..102b3dc4 100644
--- a/active/CVE-2022-0382
+++ b/active/CVE-2022-0382
@@ -2,12 +2,14 @@ Description: net ticp:fix a kernel-infoleak in __tipc_sendmsg()
 References:
  https://bugzilla.redhat.com/show_bug.cgi?id=2046440
 Notes:
+ bwh> Introduced in 5.13-rc1 by commit 908148bc5046
+ bwh> "tipc: refactor tipc_sendmsg() and tipc_lookup_anycast()".
 Bugs:
 upstream: released (5.16) [d6d86830705f173fca6087a3e67ceaf68db80523]
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
+5.10-upstream-stable: N/A "Vulnerability introduced later"
+4.19-upstream-stable: N/A "Vulnerability introduced later"
+4.9-upstream-stable: N/A "Vulnerability introduced later"
 sid: released (5.15.15-1)
-5.10-bullseye-security:
-4.19-buster-security:
-4.9-stretch-security:
+5.10-bullseye-security: N/A "Vulnerability introduced later"
+4.19-buster-security: N/A "Vulnerability introduced later"
+4.9-stretch-security: N/A "Vulnerability introduced later"
diff --git a/active/CVE-2022-0480 b/active/CVE-2022-0480
index 17624bcb..1a5cebfb 100644
--- a/active/CVE-2022-0480
+++ b/active/CVE-2022-0480
@@ -6,10 +6,10 @@ References:
 Notes:
 Bugs:
 upstream: released (5.15-rc1) [0f12156dff2862ac54235fc72703f18770769042]
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
+5.10-upstream-stable: ignored "Minor issue"
+4.19-upstream-stable: ignored "Minor issue"
+4.9-upstream-stable: ignored "Minor issue"
 sid: released (5.15.3-1)
-5.10-bullseye-security:
-4.19-buster-security:
-4.9-stretch-security:
+5.10-bullseye-security: ignored "Minor issue"
+4.19-buster-security: ignored "Minor issue"
+4.9-stretch-security: ignored "Minor issue"
diff --git a/active/CVE-2022-0646 b/active/CVE-2022-0646
index 476e32a1..fa793b06 100644
--- a/active/CVE-2022-0646
+++ b/active/CVE-2022-0646
@@ -3,12 +3,13 @@ References:
  https://bugzilla.redhat.com/show_bug.cgi?id=2055206
  https://lore.kernel.org/all/20220211011552.1861886-1-jk@codeconstruct.com.au/T/
 Notes:
+ bwh> This driver was only added in 5.17-rc1!
 Bugs:
 upstream: released (5.17-rc5) [6c342ce2239c182c2428ce5a44cb32330434ae6e]
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
-sid:
-5.10-bullseye-security:
-4.19-buster-security:
-4.9-stretch-security:
+5.10-upstream-stable: N/A "Vulnerable code not present"
+4.19-upstream-stable: N/A "Vulnerable code not present"
+4.9-upstream-stable: N/A "Vulnerable code not present"
+sid: N/A "Vulnerable code not present"
+5.10-bullseye-security: N/A "Vulnerable code not present"
+4.19-buster-security: N/A "Vulnerable code not present"
+4.9-stretch-security: N/A "Vulnerable code not present"
diff --git a/active/CVE-2022-24958 b/active/CVE-2022-24958
index 574d3a72..e237bb78 100644
--- a/active/CVE-2022-24958
+++ b/active/CVE-2022-24958
@@ -3,10 +3,10 @@ References:
 Notes:
 Bugs:
 upstream: released (5.17-rc1) [89f3594d0de58e8a57d92d497dea9fee3d4b9cda, 501e38a5531efbd77d5c73c0ba838a889bfc1d74]
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
-sid:
-5.10-bullseye-security:
-4.19-buster-security:
-4.9-stretch-security:
+5.10-upstream-stable: needed
+4.19-upstream-stable: needed
+4.9-upstream-stable: needed
+sid: needed
+5.10-bullseye-security: needed
+4.19-buster-security: needed
+4.9-stretch-security: needed
diff --git a/active/CVE-2022-24959 b/active/CVE-2022-24959
index 927b2230..419487e3 100644
--- a/active/CVE-2022-24959
+++ b/active/CVE-2022-24959
@@ -1,12 +1,15 @@
 Description: yam: fix a memory leak in yam_siocdevprivate()
 References:
 Notes:
+ bwh> Introduced in 4.19 by commit 0781168e23a2 "yam: fix a missing-
+ bwh> check bug".  (That didn't actually fix any bug because the
+ bwh> driver never looks at the second copy of the cmd field.)
 Bugs:
 upstream: released (5.17-rc2) [29eb31542787e1019208a2e1047bb7c76c069536]
 5.10-upstream-stable: released (5.10.96) [729e54636b3ebefb77796702a5b1f1ed5586895e]
 4.19-upstream-stable: released (4.19.228) [4bd197ce18329e3725fe3af5bd27daa4256d3ac7]
-4.9-upstream-stable:
+4.9-upstream-stable: N/A "Vulnerability introduced later"
 sid: released (5.16.7-1)
 5.10-bullseye-security: needed
 4.19-buster-security: needed
-4.9-stretch-security:
+4.9-stretch-security: N/A "Vulnerability introduced later"
diff --git a/active/CVE-2022-25265 b/active/CVE-2022-25265
index 0fbb5ae2..8e6b64d2 100644
--- a/active/CVE-2022-25265
+++ b/active/CVE-2022-25265
@@ -1,14 +1,16 @@
-Description:
+Description: x86: Old ELF binaries run with executable stack and data segment
 References:
  https://github.com/x0reaxeax/exec-prot-bypass
  https://github.com/torvalds/linux/blob/1c33bb0507508af24fd754dd7123bd8e997fab2f/arch/x86/include/asm/elf.h#L281-L294
 Notes:
+ bwh> This is necessary backward compatibility and can be disabled
+ bwh> through an LSM if wanted.
 Bugs:
-upstream:
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
-sid:
-5.10-bullseye-security:
-4.19-buster-security:
-4.9-stretch-security:
+upstream: ignored "Not a security flaw"
+5.10-upstream-stable: ignored "Not a security flaw"
+4.19-upstream-stable: ignored "Not a security flaw"
+4.9-upstream-stable: ignored "Not a security flaw"
+sid: ignored "Not a security flaw"
+5.10-bullseye-security: ignored "Not a security flaw"
+4.19-buster-security: ignored "Not a security flaw"
+4.9-stretch-security: ignored "Not a security flaw"
author	Ben Hutchings <ben@decadent.org.uk>	2022-02-25 02:54:22 +0100
committer	Ben Hutchings <ben@decadent.org.uk>	2022-02-25 02:58:48 +0100
commit	322eaf84fa0d24cdfa4acc99ff4a8d5635ab0654 (patch)
tree	84cf09416b8cf27d0c1ac938e5332bc049c04d28 /active
parent	4f1997da8949bfe55fdc4820e7def805bf3d4be8 (diff)