Retire several CVEs

10 files changed, 128 insertions, 0 deletions

diff --git a/retired/CVE-2020-36312 b/retired/CVE-2020-36312
new file mode 100644
index 000000000..6639dddff
--- /dev/null
+++ b/retired/CVE-2020-36312
@@ -0,0 +1,11 @@
+Description: KVM: fix memory leak in kvm_io_bus_unregister_dev()
+References:
+Notes:
+Bugs:
+upstream: released (5.9-rc5) [f65886606c2d3b562716de030706dfe1bea4ed5e]
+5.10-upstream-stable: N/A "Fixed before branching point"
+4.19-upstream-stable: released (4.19.148) [19184bd06f488af62924ff1747614a8cb284ad63]
+4.9-upstream-stable: released (4.9.238) [840e124f89a5127e7eb97ebf377f4b8ca745c070]
+sid: released (5.8.10-1)
+4.19-buster-security: released (4.19.152-1)
+4.9-stretch-security: released (4.9.240-1)
diff --git a/retired/CVE-2021-26934 b/retired/CVE-2021-26934
new file mode 100644
index 000000000..56a19b63d
--- /dev/null
+++ b/retired/CVE-2021-26934
@@ -0,0 +1,15 @@
+Description: display frontend "be-alloc" mode is unsupported
+References:
+ https://xenbits.xen.org/xsa/advisory-363.html
+ https://lore.kernel.org/lkml/20210216124015.28923-1-jgross@suse.com/
+Notes:
+ carnil> The update only marks the driver as not supported (in src:xen),
+ carnil> so might be ignored overall.
+Bugs:
+upstream: ignored "Xen project patched only documentation mostly relevant to Xen project"
+5.10-upstream-stable: ignored "Xen project patched only documentation mostly relevant to Xen project"
+4.19-upstream-stable: ignored "Xen project patched only documentation mostly relevant to Xen project"
+4.9-upstream-stable: N/A "Affected code not present"
+sid: ignored "Xen project patched only documentation mostly relevant to Xen project"
+4.19-buster-security: ignored "Xen project patched only documentation mostly relevant to Xen project"
+4.9-stretch-security: N/A "Affected code not present"
diff --git a/retired/CVE-2021-28951 b/retired/CVE-2021-28951
new file mode 100644
index 000000000..cc03f2c92
--- /dev/null
+++ b/retired/CVE-2021-28951
@@ -0,0 +1,11 @@
+Description: io_uring: ensure that SQPOLL thread is started for exit
+References:
+Notes:
+Bugs:
+upstream: released (5.12-rc2) [3ebba796fa251d042be42b929a2d916ee5c34a49]
+5.10-upstream-stable: released (5.10.26) [6cae8095490caae12875300243ec94b39b6a2a78]
+4.19-upstream-stable: N/A "Vulnerable code introduced later"
+4.9-upstream-stable: N/A "Vulnerable code introduced later"
+sid: released (5.10.26-1)
+4.19-buster-security: N/A "Vulnerable code introduced later"
+4.9-stretch-security: N/A "Vulnerable code introduced later"
diff --git a/retired/CVE-2021-28952 b/retired/CVE-2021-28952
new file mode 100644
index 000000000..d5862b353
--- /dev/null
+++ b/retired/CVE-2021-28952
@@ -0,0 +1,12 @@
+Description: ASoC: qcom: sdm845: Fix array out of bounds access
+References:
+ https://lore.kernel.org/alsa-devel/20210309142129.14182-2-srinivas.kandagatla@linaro.org/
+Notes:
+Bugs:
+upstream: released (5.12-rc4) [1c668e1c0a0f74472469cd514f40c9012b324c31]
+5.10-upstream-stable: released (5.10.26) [26b08c08a5f3008fe45822d8b163f1516178c42b]
+4.19-upstream-stable: N/A "Vulnerable code introduced later"
+4.9-upstream-stable: N/A "Vulnerable code introduced later"
+sid: released (5.10.26-1)
+4.19-buster-security: N/A "Vulnerable code introduced later"
+4.9-stretch-security: N/A "Vulnerable code introduced later"
diff --git a/retired/CVE-2021-29266 b/retired/CVE-2021-29266
new file mode 100644
index 000000000..02d7681db
--- /dev/null
+++ b/retired/CVE-2021-29266
@@ -0,0 +1,12 @@
+Description: vhost-vdpa: fix use-after-free of v->config_ctx
+References:
+Notes:
+ carnil> vhost-vdpa (Vhost driver for vDPA-based backend) not built.
+Bugs:
+upstream: released (5.12-rc4) [f6bbf0010ba004f5e90c7aefdebc0ee4bd3283b9
+5.10-upstream-stable: released (5.10.26) [49ca3100fbaf864853c922c8f7a8fe7090a83860]
+4.19-upstream-stable: N/A "Vulnerable code introduced later"
+4.9-upstream-stable: N/A "Vulnerable code introduced later"
+sid: released (5.10.26-1)
+4.19-buster-security: N/A "Vulnerable code introduced later"
+4.9-stretch-security: N/A "Vulnerable code introduced later"
diff --git a/retired/CVE-2021-29646 b/retired/CVE-2021-29646
new file mode 100644
index 000000000..5eb075ce8
--- /dev/null
+++ b/retired/CVE-2021-29646
@@ -0,0 +1,13 @@
+Description: tipc: better validate user input in tipc_nl_retrieve_key()
+References:
+Notes:
+ carnil> Commit fixes e1f32190cf7d ("tipc: add support for AEAD key
+ carnil> setting via netlink") in 5.5-rc1.
+Bugs:
+upstream: released (5.12-rc5) [0217ed2848e8538bcf9172d97ed2eeb4a26041bb]
+5.10-upstream-stable: released (5.10.27) [50f41f2e29ff1980f7edfca40bbf81a4336b9feb]
+4.19-upstream-stable: N/A "Vulnerable code introduced later"
+4.9-upstream-stable: N/A "Vulnerable code introduced later"
+sid: released (5.10.28-1)
+4.19-buster-security: N/A "Vulnerable code introduced later"
+4.9-stretch-security: N/A "Vulnerable code introduced later"
diff --git a/retired/CVE-2021-29648 b/retired/CVE-2021-29648
new file mode 100644
index 000000000..fe5f6d6c2
--- /dev/null
+++ b/retired/CVE-2021-29648
@@ -0,0 +1,13 @@
+Description: bpf: Dont allow vmlinux BTF to be used in map_create and prog_load
+References:
+Notes:
+ carnil> Introduced by 5329722057d4 ("bpf: Assign ID to vmlinux BTF and
+ carnil> return extra info for BTF in GET_OBJ_INFO") in 5.11-rc1.
+Bugs:
+upstream: released (5.12-rc5) [350a5c4dd2452ea999cc5e1d4a8dbf12de2f97ef]
+5.10-upstream-stable: N/A "Vulnerable code introduced later"
+4.19-upstream-stable: N/A "Vulnerable code introduced later"
+4.9-upstream-stable: N/A "Vulnerable code introduced later"
+sid: N/A "Vulnerable code introduced later"
+4.19-buster-security: N/A "Vulnerable code introduced later"
+4.9-stretch-security: N/A "Vulnerable code introduced later"
diff --git a/retired/CVE-2021-29649 b/retired/CVE-2021-29649
new file mode 100644
index 000000000..2f5ce2dea
--- /dev/null
+++ b/retired/CVE-2021-29649
@@ -0,0 +1,14 @@
+Description: bpf: Fix umd memory leak in copy_process()
+References:
+Notes:
+ carnil> Commit fixes d71fa5c9763c ("bpf: Add kernel module with user
+ carnil> mode driver that populates bpffs.") introduced in 5.10-rc1 and
+ carnil> might so not affect earlier versions, need check.
+Bugs:
+upstream: released (5.12-rc5) [f60a85cad677c4f9bb4cadd764f1d106c38c7cf8]
+5.10-upstream-stable: released (5.10.27) [ccd5565feea346697c1d1e8e9cd042218b49c44b]
+4.19-upstream-stable: N/A "Vulnerable code introduced later"
+4.9-upstream-stable: N/A "Vulnerable code introduced later"
+sid: released (5.10.28-1)
+4.19-buster-security: N/A "Vulnerable code introduced later"
+4.9-stretch-security: N/A "Vulnerable code introduced later"
diff --git a/retired/CVE-2021-29657 b/retired/CVE-2021-29657
new file mode 100644
index 000000000..a9803280b
--- /dev/null
+++ b/retired/CVE-2021-29657
@@ -0,0 +1,13 @@
+Description: KVM: SVM: load control fields from VMCB12 before checking them
+References:
+Notes:
+ carnil> Commit fixes 2fcf4876ada ("KVM: nSVM: implement on demand
+ carnil> allocation of the nested state") in 5.10-rc1.
+Bugs:
+upstream: released (5.12-rc6) [a58d9166a756a0f4a6618e4f593232593d6df134]
+5.10-upstream-stable: released (5.10.28) [5f6625f5cd5c593fae05a6ce22b406166bc796b8]
+4.19-upstream-stable: N/A "Vulnerable code introduced later"
+4.9-upstream-stable: N/A "Vulnerable code introduced later"
+sid: released (5.10.28-1)
+4.19-buster-security: N/A "Vulnerable code introduced later"
+4.9-stretch-security: N/A "Vulnerable code introduced later"
diff --git a/retired/CVE-2021-30178 b/retired/CVE-2021-30178
new file mode 100644
index 000000000..2d5f70ba7
--- /dev/null
+++ b/retired/CVE-2021-30178
@@ -0,0 +1,14 @@
+Description: KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1947139#c4
+Notes:
+ carnil> Possibly only an issue after 8f014550dfb1 ("KVM: x86: hyper-v:
+ carnil> Make Hyper-V emulation enablement conditional") in 5.12-rc1.
+Bugs:
+upstream: released (5.12-rc2) [919f4ebc598701670e80e31573a58f1f2d2bf918]
+5.10-upstream-stable: N/A "Vulnerable code introduced later"
+4.19-upstream-stable: N/A "Vulnerable code introduced later"
+4.9-upstream-stable: N/A "Vulnerable code introduced later"
+sid: N/A "Vulnerable code introduced later"
+4.19-buster-security: N/A "Vulnerable code introduced later"
+4.9-stretch-security: N/A "Vulnerable code introduced later"